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{<Mii} This invsti-iifers reiatss to cO!r!piJt<Jf pfeUorjrss 
arid shsif wssrjOds ot cpss'atsoiri rsnd is psiUciiiariy 
ftoncsjfisrf with ccsilfoiisng &na'or n-iSsSdng the ;nst?iifa- 
liort aftd'Or use ct d<5ta en cojYiputef pssttorms, 
1000^3 in ^iis spc5C!!iG«tion, 'ctesa' signifssis anylhintj 
■bsi csn bs3 fomatt3<jd!gif;Hfiy. such as Knssges. appSica- 
!)ot5 sof5vi%!« 3n(S siieartiin^ frissiJisi. Th?; isthniQyas css- 
scritsed tbiS clocyn-gr;; car. t'Otmimiiy ua>?c5 to pjo- 
iQCi or fnsSsf rnxiny typcis of K-i:;>f;n<3!!C.«. fro; n sinr-pie \sn 
{iocam&fiHXC, atjd:c<;5!:d vxf-x-cl^pji, ftosi^vsns, i^rssphkis 
photo- and !TiU!l;ir;iodta n-ssierr-'.fe 
[0003] in tf--^ t <-c -p i\c A -..5 - XV . ^ - ^ 
schisve s. fr\m& securv? sect"-;;; St-goincr -atsin intsoniy 
checks on oihs) ccd& io tjns,i."v iha^ v::>.;5.-jS oir.-.^ ijii 
{sisthorlssdraodifesuions havs nol bssn made !c ths op- 



reliabte mssisisfei-nonl and reiiatite feporting o: inicsorjty 
mstitcs, Ti-Jts cnsj&lss vefiticfiiion oi Shs inSs^riiy of 
pialiocm by siinsr s iocai ussr or s rsf>iote sntHy, That 
pfiO( psssent appiic&;io« dsscribsd s gssiefst f^sihod of 

c-i th-* intogiiiy of « pimton-n by comparing t^pOftsd vsi- 
i«5s of nie-ric^s wifh props; vafyfts q; rrseiri^sj Tbs prgssnt 
inviK-uon ij5;3s Sicsjics c:h«ck!n^ccsti<5 who5» snisgmy is 
feportsd using thsJ meihocf oi ihat prior ps!<5nl: ^pptica- 
tion.. 

POST] in ovsjvisw, ths smbodirnsni of ?h« pressn! i*^- 
vsjr.Sion !)ss?s ?«t!Viftftf-!;;.;t:;Di' coifHx.v'iS.nt '"■■'^iijif.d 



Sf-pfOO) 



1:8m f^as noi Ij^jfir; larnasrsd wsii:*; a^id to pfovids a rrs>r<5 
iat5l<5 fcifr: OS f^itci^inc; sdsJiTuty tnsn cuf rsntiy avsiiiafeis 
(fof !5.«»r;pi«. iiw maci-tin^'s Sthssr^et nastis). Ysf how to 
counissfsti ptificy, snd i^ow t» Sicsnos and mmt sofi- 
ware in s m&nnsf that is accspts^ie fo soffwafs devsi- 
oporS: »nd m6<mws^ wil! sSiiJ be a vety tn^porSarit piots- 
fern. 



(0004} Software iio&ming is ««(jjed ia hacksrs and pi- 
•aoy. atVii ali Sjs currem so^war^ iicsnsifjg meiiios^s 
used have prooiems associsisd with nmm. ^<ii\mm ifn- 
pismenMiOsts of ifcsnsin^ {stsch as: "iicsnce manags^ 
msnt sysf sms*) are fiexibis> buf nof e^ecial^ secure cjf 
fast If? particufer, Ihsy suffsr f ra'Ti a sack ot ssctsrstj,* to 
sxampfe, ijsing SL!b]scj $oa fjSj-ssric "hsck"-' ; »-,nd dlfficiilfy 
in gsnuirss rspiaci'msnt of sottwars. Cos-svfjrssiy hatd- 
vs.'Sfs Impigfr^sntetions {'dof^gi&s'} am fassoc and g^ttef-- 
aiiy \r\of& ^sc^^fs tnsn ^oSlwars in-ipisrnsr-lsifics-is. but s-t- 



ot fits present snvenii'^ri. snsf« p'ovsdsd & compiMt 

if?t8rnaifamp*5fing and wiKCii 31 
key certificiUe ; msans storir 
prising St tea«ki m& of: a secure sxscufor (which is prsf- 
«f?ibiy i^soeri*;) lor chs^cicing v^hethe? ths pisffonri or a 
tisef :i{:5eteof is fcsosetS: Is ussi psrticular dsfa lor 
provids^g rm iRS&dats for using Iha ifaia and<'ot fo; jrion- 
itorirsg iis «§<?90; and s sscyra loader (which ss prefer-a- 
fely generis for ch^cising wheflier fhs pisiSforrh Of a user 
thsrsof is Scensed fo insiaii pariicufar data and-'of for 
;ch8okirs§ lor jfeia jfjfegdt^ bsfors ssistafialion; and 
rrisarss storirsg a hashed version of the ifcsnos-rsfefsd 
cods signed *sfifh the ihsrd p-sttys, privais ksy; Anarsin 
ihs s;cfl■^^!i<^s pisffcirn h piopa 1>-^. t.^- . 
booting of th€< piatform ths iicei-scs-tiiaitjci code ^n- 
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c-fypsooraphic ide-i^tity arsd 5c p!-ov:ds aiftJis-itscity; snteg- 

quired. Th&ss and olSiSf crypto sfistfKsds as-sd Jhsir int- 
liaiisstsOf! afS w&ii kriown {o those akiliad srs Ihs art of 

by sej-rfffig and f jasfjing Ihs i)c<soc«Ke!a{e<3 code io pro- 
(jycs « fif St i"!<3st}; ressding and dscryptSf tins sijifiad v<5f ■■ 
sbf-! usir-p ms pubSb key csfiific^ls to ptixJisco a sasoorf 

nsssb. sn6 camp&mg the israt srtd sscftnd hasi-ses. 
fOOiai PiBteiabs^' She iicencc-feifiicd cxic f:U50 Ef? 

a is.'iSsci -riocuiy or ^:noihe'r compi^tef pio^cfn 
Tr;;s Hsy 'ran&is! fcds is pa:1)cyl8f!y usstti! in Irnprov-tO 
k©y ms«ac}sme<nt when usitig Iscerssipg modeis te- i«- 
vG'vs sn !.if';>D<:k key. ihat <s. whsfss Jhe da!3. is lm!"ssmst- 
i&dky s-t anc-yakiii foars and shss ijrSiiXk k^sy is ossd to 



;5cj oij}. by i: 



Si f>li!> 



{Jecjgtev govsmsd by gens-rss; sssncs-mfeisd software 
{<5S defeffea sbovej inai peifc- r»s :!C.c;-;v:o i.i^^-c!' r;i'Ci 
* protsdsd wghtnss t>yjjasyng tiy E-slsgfsSy checking 
Sue-! >rcs!-si:s-chcick!r.a jotlVMSfs nesd s-sot fisn wXhin tii« 
ifsisSssdmodute ssseif. A prstsffsd stags is. Jh« iogicai sx- 
^«^^■^s^£!>1l ot such a sy&isin i;-; vi-issch shs Sice'-ssincs soUwar^ 
Htm wths?-! !h«; i(u»XQii !)X!d!.il8 A faqueiit {o icj^sd o( «:<- 
m>iA^ sofT^O d55!a wH iio ser^t to fh55 trj^sJisd (nodyi«. pwt- 
«!ab{y from ihs soSvvaro exsoutor '"he iir-j;;;;!?-!;! s^oft- 
we in ihe fe-ystsd rnoduis wiSi 8v;ii $..;>■■:.;■; ■■; 
stvi dscids vvhsthef to aiSow ihis en oi 

i:c«;n£;frt!5 righis>. I! iha is?qtii;st :s to .^iiiow;:-:::. 

'v5 {Ut^'' v4VXJj> \ v! , v' 

Thsi corrif KjsjSions pato i§ pffttus'iibiy iiii:ic>:ss{5:b ^ to 

theri ^Usrts u^s process Jo Send or sxecuts she dat¥i, =as 
appfopfisie. 

|00t8j Vsr;o;js fnssbods rtov*! cQfisidsf>3d Ir-i ivhich 

;,ysk-!(>^ ismpori^nts >r\ay ifttsrssd to pftflotrrs 
i-Gsnstrsg kii"ic!iori8ity PirsU eofisjderabcin ss givan ia ins 



key. and checker;!? ior inteSfsSy via r;:;.Sihin 
sigrisiyfss. ThfSfe may ise m opison lTans!*5r^rrr5 data 
Hmtt in this rTsannef; ysr-'^g secure soaaer. 
[0013] Prs?sfai>iy ?his ticeiXiJ-fsteied cgde siso sv 
eludes a iilirary of iojes-fac-s sobfoiuinss v^siksh cart b« 
c-aiisKf In order to ccJT^n^unteale mih th$ uustsd modyis, 
Trssf ciisrst Bssrsry is s coiJscSion of high-isvei interfscs 
subrokitinss that ap&iications. cs-Js to communjcafs wsth 
•he Uumd moiSiib T h-j ciioni iibfsfy may siso be yasd 
by sc-f}w55rs exftCiJtors (see bsicvv) \ov ««w)«db8Sion 
wjiis she tt$js5^l !Tiod«Je ar(0<»>e;aiin5i systsm fOS*) 
f0014} The ilcfifise-roiatod «odo msy sf^eiydOv ?of at 
\sm{ one ^jroup ot daia.. a (or a rospaotivs) soSv«;sf » ex- 
sc-otof which spscisles ihs rsspsctivs group ot data ssid 
whksh is opsrabis io acsl as an intsrfacs to ihai group of 
data. This aitows msshods of Itesnsln^ protsotfcr) sps- 
ciiic io Ihs pfoiaotsss data, arsd thsrefors potsr»tiasy a 
g'Sfatsr fovei or' prossction If a {.ottwafg essscutor' is as- 
s>oc!ins:d wr h iiP. appjicatiors optionaiiy is pfocsss$sqiJ§- 

■ Af-1 caiis) s;jR!v-;ttsoi &y $hs appircation. 
(00 J 61 Pi srsiHDiV. i: psm^ifi, the msans stersns^ 

ct w \ sodi .-••CvCt vrca^, '"^^ 'i(8 
! -x, .^i *! s; -•x-fi:s'-feW--xiesxiear>ip->vid--xi 
al isast in pad, tsy ma Irsjstsd module, 
(00161 P:e!<5f;r;i;!iy. sr.e rrtisted (Tx.^kife Siftd ar- opsfaJ- 

on'5 ^'-!t5•o^^^.•^■',!l e-- Vvhti^r-; sf'sscCiJ^Sir-iic ioosh- 



mm patuftyfe?-«at&-amt«C!r .to diecH-.ih8.-?t5.is§my-<sfmt- 
d«»s sri rssponsa to sucti a request the secy ra ioadijr 
is opera c.-io to perform sucn a chsck and tsspond so the 

vS-- operaiii-sg sysJsm mh She resuls of ihe cheoiv and in de- 
pendsnce upori ths fs^ponas, ths cpsvatu)-: siysieiri is 
opemhfe to irsstsi! or ript to iostc-ri! '.'X; p::fit-x.i;^' data. 
Thi§ cnsck on She piaifoffn ot ys«r rjxiiy o<j porSoroxrd 
vas^ciys ^nsUxK^s, s«ch s$ sheckajg for iha pfft&enca 

ss of a privato appMioo K«y ot oth<st s«crei in she trt^stsd 
rtsxlule Of h a sfnari csad or chacKtrtg lot idaniisy 
and presence ot ths trUsJsd module or snwt card. Such 
m idenlty could be SRSds. known to ths dsvebps r. or 
such a secret could ba ir^serfsd into the trusted modLils 
Of SiYiafs c;^ !d d^jfrng a ragi&tfaiior^ pr?x:sss. This anai- 
ogous =o ;r"!t< pK^Joii^ >.\i!!C-^ ; fco jf^si^f l'^ss i=tisr 'n 
ampis .A.. 

1X5^203 it^ this mods, pr etss^Diy she operating system 
ia prsgrarfiffisd to rnstals ths pa-ttC'jias dstis onsy rs- 
sponsa torn© secure loader: Arso, (rrtriscnode. pmtef- 

siSiSliXs: ti-'S op'jratffjq systoiT • ss apsrabSs to ifisiiida, :ri 



; pnv; 



; v<^-;ich thesy cofnconenis intor- 



jslsd iVtcx!ul$ SiCt as u ger'serrc 



in she i-equest lo produce a thrrd hash: so dscfypt tf?® 

■?!.:(;h has!-:- and to ^ssfj&taJ^ ih« fijs.f»f!3a sn depesxi- 
;.[x.& upcfi whethsr Of f!05 She tnird snd fourth hashes 
match 



3 



imZVj This cJ^scKS bf inbsgfiiy o; r^^s^-s^ige- ts^s 

ie!i9s.''rsspcsns<5, or irjtfodijcing a tilstco.'' at {he coms-n-j- 
r!«C3tio«s In the hash The pfobtem d noi-i-fSpticiiMfcn 
csi.r: b& ?x\'Qt6&cs by ksspiEitj pflvaSe Keys :« tssfnper proof 

sc>!$wate 8)cecutor fo; Jhe pKsticuiaf data. 

ectuof (or at l8»&; of?<5 o? she sctJmircs s3«?cy;of s) is 
3!<5b^8 to !jiq!.i8si she ifitsSsd trscsdiiie to insisiS pafjic^iiar 



3! «8SC 



(tS) The sscuro ioacisf inisgrity checks ihs sofiwsrs 
6){se.iJiOf mm ii is fsesivsd - wrs jnslaiistion of 
ths sofjvsfiijg sxecutof. tte Dsckaqs is venfisd by 
h*tshf!ig anci companson wiin m<3 decfYpt«d sigs-sa- 
\'^t<i (USitig the pubisc Ksy srs ths trustssJ sriOdute). 
TfiQ wltwarc- cxe-ciitef ss noi iosdsd i? the dsgtSa! Sijj- 
n-iXum doe?; skjJ trsatch whs! !S sxpestsd. a?xJ in this 
c:as55 \hii !>«cuf» kHjdsr signals isn (Stfor, The secure 
tefef «!SC) imegf isy c-tm-ks xha <SstsS ttsaif, ysirsg ihs 

ths Sfscure executor opgrsues So use cM&. 



c>pfi rating sysJam is suppiisci vts shs d«:Ci*.?i5"sd convnu- 
!vc.5tai& pi«h as descfitisd above 
lOOaS] With «lih8r of these instailstiod modes, if the 
chssck succeeds, the tfusisd modofe is prsterabiy oper- 
abis to g&nsrats a tog tof aydifij-ig ths p8?t!Ciftar data. 
Also, it !h« ciisck siiccs^dS; the $scure ioador ss prefer- 
<jbiy ->f:<>--sr;5tiB perform a vss os cfwcH csp tfts pafitcyler 

fOSag} Upoo tnstaitstloa the p{5sftfCi.div cte trvgy b« 
insfeit«d Mo m ttusssdpiastcsfm. Altsfrsetively; the pi?st- 
lOfsn may inc^uds a tufthes", rernovabfe: trusted modijls 
(5uch 8S a snfssft card) md bs opsrsbis to perform an 
sSKti^stiitscation check between the firat-trssiitionsdtfus^- 
sd module af>d ti-se rsmovabJs trusted modute> in \vhlch 
esse, upG"; inctasiatioe, the partscufer data e-^sy be ifi- 
siiiJied ifiic ihs furih&r ir«sts<:i modufe, 
10027] Ths eoftwMS exeeutof may ftseif bs protected 
vis idtes^rity cteks, catma by ths sscufe k^det. 
r-"Of &xsmpss, this proeedUf & f>-!sy work as toitows 

is) The- icjlivwiti; C'>-4(.:;fc- ti-'Stor^tSs^d siich the! 
iiif. ;5ui5i:c hs;y OGi :;5*po: :c:: :!; So ffift ftiffirtf s triistsd 



hashed arsd signed wiih 5he ckieriognouss/dsveiop- 
pisva-e ksy and Si^!S ss,- iot^t m cor.\\inaior\ wsfh 
m<i <tetia Sixi soinvaie s 



:sci^ t.=„5tx; tg-x-i-e v?y 
nociiiO, and Sc respond to tl^at sofiwsrg 
i-ic- signed rosiii;: sn fsspofise to suc-h & 
sonvv<jre executof iss op<?>iPi<f ^oc-sck 
ihB imsgnty of the Signed rosust usfnjj ins pur^iK k-iy of 
V* ihs trusted tncdete; and epoft a syccessfui inie^rity 
cbmk oi a succ&ssfui iicance-chsck resuft, to feqsjesl 
tns dperetsri?;^ gysteft* t& use ti^et date; 
(00301 !rt ss ssconcJ sxtJcuttoe n^ia the sotlmre sk- 
wstJT (or ai teest oris of ihe sottwere e>!«ei<torsj con- 
ss tains « piJijfc key ot trss ifwt«d rfjsjdy l« and « iicsesing 
rtsxisj bf th0 respeciivsJ dsia. ihe operating? systerrs is 
tremble ^o reqiiie^t the seeurs exectstof that particular 
datsbfi used; in re^scsisets such s rsqaest, ihe secure 
executor is operable to seod to ihe respective sottware 
^0 execytof a ■■eques.i. sicned liSKir^ s pr.vele ksy o5 the 
Trustees n-(.xii<o k-a=i.,> ; % "^jpt 'o * ~c p't;tc-^(?r 
d«ta; in fesponse to suci; -'I'lt-! s&quss! iri-vi sctiwar^s 
ijxecut-ytsc'pe)«>>'f v^<-\iiN r . 

Uiing the public Key ot rh-s -fiJ iU.;; rncdoio ar:d upon =:! 

to';h«> j;ecitre exee«}«>!-: ;sr;d ^ic-j;;;.-; or i-^t i:c»! !s;!-x: 
srscjiisl, tna Sixruvo ssx-jookv operf-bij;. ;c; p-i^fior-r: ■;• 
esriftft-ci-ieck ijsin-i^ tnai iics.- siiig irits-^sri: i^r-a ijpo-i :h 
euccosstsjS licsnce-cl-seck io rcqiiGrst U-::,: >p:-::;-"f;::n ;. ;' 
ism to !.!^e iha datsi. 

100311 it} .;>1ttv10'^(5CUtC''l'VOCC ih'^S^i^^ li<. 

cotissins ai iea« ons icr^stfig nxxisi th.^ opowii'iq sv's 



ism is Cs3e 
iiCUiii! d3ti 

ins sees; 



sxecUiOi- ss opesa&ia 



a-iiKik ustrc;; ii'io o: ol \r 
upod a S!jcc5s;e-ij: i:ter;c--5-ch; 
•■nq syslesrs lo ij&e thai dasa 



^ io request the operai- 



10032] With ffPy o! 1i ;<5s(? th: 00 oecyEiffi-^ itjod'Si, pf$t- 

.J <-!tiV -riO vf..Ci.=!S;;"J ;^yS;<5-n sS ps OgE&mtrtijd lO USfJ 5hf! 

id K fourth sxsciJtiO!-! ntCfds' >.hsj sscore sjs&cii- 

nxscMioi- (or a\. isiisl CEie of she sc':{\'v.'4!r«-- esijcijki-s) ss; 
opej-abis to riXitJee; the iwsx&a frx5>:ii.ii« ihm «ts !«=;ipiK - 

!>s?ferfn a iicsncs-chttck j;s(ng the, or 00$ of ths it- 

IS fsqjjgst !h8 opsraSing system ts jjss ihai dfisa. in iriss 



Timed 



wsf<s o-r mih refesencO: in a ci<5Vic.«. or 

{ij! U^(ii9 »,n !j!ibciv ksy to dsctypl dsls snd aHowsig 
fi to sxecute (snsrs am vsrioijis. op{io>-ss for dfifsfisig 

ks^iksnc! of Silts codoj.. or 

ic) Ch53ck(f;g fof lic»r;siiig nghfe in a duM^BSs. cor- 
ti55<potsciif)!^ 50 <i o'aia fisfsfsncEJ and a disvsce sdsn- 
fi^y, Of 

frig {o a data f8fsre;"scs and a dls-vics idsjisiiy, asid 
Ui5ing this lo yfiia-;^ tiie dsua. 



[0034| V-':-- c j \ - . . ' ;o'^ 
|CK)3S| With any ot Bfjs hrm \o Soatth exssuiaxt mcxSes, 

rind -scofdsd isctiisiy h'tsi km:pt'. ¥>\ooi xmpononi 
Tr-.s-is is ihs opiw^ to eafsy csut al a nurrtsm of d^- 
tsrerjt sia^ during fteenslng. The mosi common wovtid 
be at ths> stags «f v^ifcli She date vs®s allowed to ran by 
1h8s«!j5Uf8 exsc-utof Or scsfh^ars esecijiof Anotn&rcom- 
fViOn poiE'st vvouicJ be ;s- ihe siajje at vvfwch ffus secur« 
iOi:sde{ has syccsKJ-stirfiy oomptoUrd lis ir^jsgsHy sNjcKs 
on shs data to !>o if^sEaiUid. end 5ias sycossefwffy it?- 
s}aii«d fhis dais csojo ths ciiarii rfjat:hin^. Sines \h& 
oufs sxetytor, scftwisrs extJcuSof and sec-urs fosdes gfe 
proSeded by inisgriEy checks, som pfotsction is givsrt 
agains E hac ssf s f ryir.g ;o byp^&ss or edit ths fogging proc- 
ess SLicn fogs i:V0!iid provsds XxAh secssfs audifsrig m- 
i'crr-sssflo!'! and the possits'sisty d tlsxibis fifismsng and 
paym&nt rnodsEs-such a^ pay-per-yss, mnfing. tjs-ne-dsi- 
p.?ndent cha^^es ancs ho on, Sych audst fogs woi-std 'or rr> 
Ens baals for i^saass f-->pof1s and iri-'orEViatioft acc&ssifc-ia 
Eg ih;r!5 p,s:Eisj-? r>5.:ch as- uiij -Ytachlne E;,^&rs f"f" dapari- 
rmni ci co;r!p:sny .ii^jdifof-s inw woitid :«L'50 f>:?iva cosn- 
rosfciai vaki8, such ;hs lor afivsfusirs;^ o( ^^ivsng JftiJcisxiCK 
oofaEiogsi. 

rC-0361 ,^ .a--\ V 5 - t^< 



sxscuior is ops 



c cEii'ck IS praicssrad i)y ir 



|003Sj is 5o;Sw4i:f; .•5:<s:c.iJ!C-r do«s o^l iPiJCffy ix ii- 
csnsing moSfsod, or thsrs h m soitws oxscyEor af - 
cached to:teappfis8Uon, mssseurees^oeti tor JTiayuss 

V* a do?8tiSt pf05£?5d fhat wiSi have bmrt dsf med ior Ehe p,?ir- 
Eic-jiar machsm. This wit! havo bssn ssE by Eh& n-i-s- 
chirs?;'$adf?iiEV!StE,=3itor whh lh« frsachsrie's «-:-;vitcsn?v!ai-i! is^ 
misxi; f«>f e^xatnpia, i! the n^schins js oniy iB«:d by o^ia 
pSfSiXi, a iioerjsing n^lol cdrtsspotjding Eo if5« ioUrEfiai 

ss tfustgcJ rr)o<JuSg would pfohEstJiy J?s mc^t appiopdEsio. 11 
wiff nof posisihie Eo byp<3ss Eho secyre axscufor. and 
hsnc& the licensing ii^se-ks. because ths saoure exec- 
utor cods will navs iaaen inciudscs 'A'tShsfi the pia^crm In- 
tsgnEy check as pari of ti-:s booj tntegrsty procedurs, 

*s [0040] Oiftsfsnt rnodgis of liosnsin.g ejss Jbs secure 
execufo.' and software asecuEor si dsttsrsat ^vays Aj^ wiii 
be apprsciaf sd !ro<-!T the sbove Is possible eo u3« tharn 
ia &Ofr^i?(ns!!oy?. or with eilhs? p8>1orr)w§-th6 Sicanssfig 
ai^esfe; TS^srs ars ivifo main pretsrrad cpiions: 



J checking wahtn Siia ssciii-s; exscufer for 
jarEtouia; pfocssi of dat?; in s-ornc l>i fiu; sy- 
5 ft the next S8cti«3i fi^e softwaret ^sxecutois 
iiisc-sie dirsetfy wflh the operating systenr; In 



sijpioach is So piace n^ors empha- 



Thi&aitsrrsfiJive avoids putting th^s bii.cj<5n otthepfo- 

to speci'y iicsn&irtQ choicss vssty sssiiy -irtcs n-iak&s 
u'ss of inLsgrlty checking oi iscstKs theckifig ccce 



* irs return tor psyms-rit, ihe dsiabass mUy corrs- 

with ^is key; 
19044] in fi( Sfecorid protocoi. 



oi' dMii miv (fic^ude arty psiJtic.tJiaf iniormKlioo ki fc 
chs-c!<eji iot ioi»Ain<id ikimg ttw !-«^R;;r«S!<if) p. 

wiShio •hseDfnsso?^? pi8?fciT?iatoai ihsms^-iGdo- Ikms- 
iog io ijssd, ines paftsctjISH tf;jf.i*5d device an wftscn to 
;v o - h \ n ft,! i u hiS'sO 

b>s protscisd. For gxamijie. /ji;;«jr;s.'f!c?,. ff?©!ftod;s<5i;s;,'. 

mil\m thscLfre)!! smart cafd or mntm\ tmstso corr^po- 
mis. with sottwss's sJXJiCijtor;: irsdicating wfiieh type d 



t!a«i« s prolife stored i-viihtn tj-is jRisksd 



or a ijfofslg stefed mh;n iha trsjsted rriOdute tor li- 
w^nt-ifig figiiJs. c-ormporidsng so n dais mfeserits 
arxi ifie ^fusJsd iTiodyla ID jji^uy (or ss-siarf csrd ID 



spCrtdiriQ to {susisd rfsxiijia ID c» Sf!-!«it card iD 



f! ihii sot 



10043] Various spscifls protecois sr^hy- be c-npSoysd by 
th& sscure «xsc<.Uof. For «xa-T)p!€-, in a sirss pfolocol; 



ttis.3 sic«m ssscutor die«;k?i the tt\($ts<t ft'jiacSsjie K 
entry at smart csim SD : wtfy; 



(h<j st^CiJ'O e>;<5c:U'0i sh<JcKs -or <* ^iscf*! sjorrg- 
^ponding io a softwa? s of dasa rsf^-rsnce if! a U iJSisd 
rtiadtsie (iriCte<:Jis>g:;8 smart mm: 

8i6 secret to fjs checked tof ss epecitlsd by ihe soft- 
v«jr8 s>!<8c^i:0f asiOcsi-Ki v.'i!h ti-ift data ^'^M>S& II- 
cenCi> is ^&inQ ciuickiiQ. sand 



op«sof)8% 5!>8 jswiri? ^xssyisf dowlo^sids data:- 
»s^fi sri-srias loio a pfo^fsSa siored wj{i-ss5 {n« tfystad 



only if Vii& s<scr«! la prese«! in tho Jrjsisd mcsjulo 
wiii she secure executor syti-sOfiaiSthsJ OS toaxecyte 
: ihe sssisoiatS'd software or: ciata. 



the sseii re sxscotof iJhsciic? an sjEteirtst databsse. 
Of 3 isrofiis stored v^it^in the tr ostsd rrioduls agssfist 
a dsita ret&rence arid the trusted moctiiJe iO efttrj.^ 
(or st-sisrs csfd !D entry> for an antock key for the 

dsia; 



the securs execiilas r(Jt;-3vss 
Jhe asisocsaled dsiia so ihst si 



s key S5rH5 d&CEV[:.-ts *^ 



pS4Sj !r> a burth prolooot: 



wiSh:some dat« stsr&ci wfth 
smart card to dscryp; int 



^mi are vatsous op^!C!!s^ kj! usSi; -.k; .^jncs^o'c^ !>, 
o! tt-is mtook ksy, iocisjding parii&t yriiookinij of the 



k,sy 'mihm she Ifusisd moduie. slong wuh tfse data 
feferaRce; 

the d^ts is protected via encrypSion o? psrtfai sn- 
cfypsics"! ysing ths corfesponcting key; 

thsrs are Vfsricus opSions- for dstS'^rsog tunciiOjiairfy 
of the u«iOi5k icey; and 



so l<m7} In a fifth protcsool 



secure iJxsc'.ttor ussc 
ieoMasiosedwimsftih.- 



prs:-d3fined;aigofh 



& She cfecrypsion key to c 



« JV wotcy^Ht^b^! xjs.sc«r c>^80kr«5 ma or 
jitc -3 cc>*^ fid Mi'" h t d ^ 

0 ^iai-'pc' Hn 



so noo n •> ^ M f -i <^ 

s c-Ji-s^Sf^g i&f^n'^c a^oJhsr m'^-hms^ boss dbs r« 

5? «Wat<* C^sUH :>-SO(S 1^3 ' -^W dOV t," r to! i 

t^fii y *i hou thf! r!*«8;3 Jhe vos dor ' s s \(^) ^^'^ 
lO'^Q fsrc %irtg r fM{^Cff• of mw 1 3rt«* tir U 3 j 
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8. !«itL%i!&3?ior) The ccs-i^^i^l pfcvsfef airsaciy h^s 
fts pubis Ksy o!" TCI sfts ths (;f!<5ir!S! ■sgis.tfr-ssior} 
and <ss1a Inssaiiation pfocsss: not tn« is ssi"!l to 

1. 15 She owosf 0} TCI wsshss. to iransfef tfw 
i!cer!c.(j u> TC5. thsre is caii Iron tns OS oi 

tf}fi> licsncfis f»f daUi S to TC2 

2. SKT in Mt gs^sfasss a tmSm fsufi^r R 
;sfK3 sgnd?; a rrms^ags is asking i'sf ifsS ii- 

tc ths daia S, {ogether with the pubiic key cm- 
tfet«o?TGt 

3 !S U2 o&3ains asjthctfisaisori jscri an sppscpfi- 
source SKI in Wfepifjjs sn iix; a}t;rft-5.shv«=, 
Indtiding R, the pubiic key cjistsHcato of I CS?, 3 
rs?55fisnGS te S< and s nm mstce T iimi t hm 



With TC2's pufchc Ksy aod aiso a riash of 3)1 inss isi- 
fwfvsstsoi'!: signeci with TCi's pfivste ksy.. Only TC£ 
s wiii have {be RSA psivsts !<»y to discrypt the sym- 
o"!6tric key whsci-- wtSi sofov,' decrysJicn of ifis u-i-cjcK 
k«y, 

f. Msssijgs v«j{{i«i{(Oi> Tfie SKT sj-s Mi^ cis^jcte; Si'ss 
*e sfgrtature usiog {{{fi pubiic tey of TCI , aod citscf j.'p-s 
{h« n8ss<3^8 using thss ^yjinmsssfc l<ey obt^sinecJ by 
ctec;!V}:i>'<-'-'5 tJ;5:>s;) TCP'S pnv«k: ifn-is. ti'st^: 

stofscJ Within If re Ifustad cor-rjixsnent. ard asscseisi- 
5jd vvi{t> {!-^« ciste S, Si ihQ sigrtaiurs is rsot coir^ci. ssi 
mm rr\Q$sag^ is $mt to {iie SKT m W- the f>fo- 
:i.ecsi stop§: 

Csv Key cssielsd jjofii TCI, andiconssnt pfovidsrs'so- 

*K {5 .\ ! t 

pOVf)< ^ iN'J-<' > -\i->t: ^--J^H 

{.-s- : ;o ion^sily SKT in M 1 or in m smd$ 

a rpcy»- ;d !"s. d<sia vsndof fjsving dstssSs how 
ovvnor triay b<5 conuatifxi ior ffi^glst-'^tion 



T!^8s« comfniJmcstions t-Jd appsndsd So a hsstjed 
vsreioi-i of the CDmmt;nicaSson signsc by She tasst^d 
5-noayie's private Ks?y »-! tne sentfefs macnR-sS so 
ih«i ;$.-C!j!vft;- SKT dni oheok inEftgfify o1 sh« 
!Tii5ss«9S. :{ inisjjssjy 'ihsckS: i;sfi. msssgssssfg 
ssni by s»ch SKT to iho OS v«tfifn ti-s^ir fnachitjss 
srsd ihg ptotccai isteps. 

C, Progrsm aptoad, i! ihs above autHsrsticatlors is 
S!jcc«s&iL!i. TC1 n&snss{h8ctettaS{opt!onaliyavef- 
siOi" slrsficiy sign&rf by li^s contsni provider) and 

S'>^!-!S !! A;'--: t"S: 'j'-V:;;!* k«y Ot TO? {tOf SStaiTipiS 

{•Siisg Mscrcioifj. Ai-ithecifsiods). TG1 thsj-s upfosds 
i''' & S'.: ' ; Viiii^C' \<'(i^ ih.? dsJ^s into TC2 Cp- 




fr^sssags to ins SKT vsitich bicxks kitmsf iJ8SSi39<? 
oiths iices'^cs iransisf pfolocoi. 

£. TranstSf key. Th" SK" -n g'-'-'r.h-.os, n v, 
!-!5Ctr!C key s - ^ ^ 



lOOSS;! Thsfs !s an aptm ?of tbs lr«st«d component, 

V* and lh« soJtvsars oxscutor. {o acs as a oew part 
cpefaling system, and hm a t>f!dgs b«twes« ths oper- 
ating sysism KOd Jiippisftsttons, tsy pscsvi^jing sn snwori-^ 
ms'-ii for C8!l8lr! fsMiori$. oxatiipiis. AF! «3(i!s esn 
fe& fi^a€3:€ile t{5fi iriJstb!^ fT!<»^«is ss^cfr as -save- a^d Vs^ 

ss siors', *Savs' wii! fSJSS da-a Uifos-igii ihe irm^ad fnoduie, 
v<^!io}i wsii isncrypt the dates in !h« tfissieci rnoduls and 
Mors It simef in Ei^e tfustsd modttis or on ti^g fisrd disk, 
it wi not be possibie {o access this dasa wsthoui ti^s psf- 
rrsission of ti^s srysied mc5duie.. lh&r& is an additsonai op- 

^0 tiors to carry oai some {rs(nsforfT^a{ions vviihin tns trusSsd 
module using such d8fe> anci for tno t,otLV«a; ff fo t-se APi 
calls fo feqisest iniorrrtatfon ffom iht- {r^isje-d n-iociyie «!id 
fj«i aft answer ssported. in s-un-in^si-v, AP: ^.!:■;; ta;-: be 
ijssa.{iTemiii8:so!tware sx^^cyter or appsscaison eods to 

*^ Ihs tr-jsisd module to cnack ■l;f; pr-^s.«n; <:.-' is ■•xi 
rrsOfSuis ar a prsvais app!k;aiis5ri key sicred on the trsjsisd 
n-iOiJuis isnatogouB to existing dartgfs meihodsj. S5nd 
iHfiher: soosetosj tfusi-sd mftdijift fof pfSvsding an <5ftvi-- 
fjjfjFTiSfit tor csnsio tyncsians or datss sjiosaq®, 

mm] - 

Ih0 applsesstion cods or thg sofii,v8fs «!xocutor and uses 
;5qym -noOc ' . >u ^ r ^ > ^ - -vt, - ^ , 

oppficstion: key or oihsr secrst in Jhs ■rustsci nxJduie or 
i,'"^«tniOO k c et.n><^ 1' " 'iv X ^ ^ "t 



thss truss sci moduteOf:Sfr!M;safiS;: 
j0060| in oni particufef irtod«!! vshtch will be dsscribsti 
in more cieSsis: M^r, a licensing sriocisl ts smployed in 
which ar, srdry in 3 licsnsjiiQ-fsialsd dstafosss^ coifs- 
spcfiding to ihs trusted moduis's !0 is updsaisd.. aod ihs 
socute oxsciitof Wii! oniy siiow d&ts to run o-xs perfT>!%- 
siorss Of! ihf{; tJatsiKssjs hmi bm-n chtjcked. fn xt^m cssse. 
•he j5of;W!S!e cjxfictjtor assOTSitgd with an sppllttsSiort 

th& 8<icyf® exscuics- ehscks the ttgfsts. 
isnd if ihfe check succ:«5«ids. passes the call 5<s iha OiJ«sr- 

sttng system ('OS') in csjcier idf ih& &ppiiGstkm \ohB ;im 
m thsi Horraa! mannsi: iff al^isf wotcte 5h8 OS ciccepts 
casis io sxscuSe cfets only ii ihs calf ijomsis frofn secyrs 
ilcsnce-i^iiated cods such as ths sesurg exscuior or 

|00S1| in .Js^G'.her sr^anicuusi ■■tj-xIs Cvhfcn vvtii ise oe- 
fc-'v, ii nco Jv. =>i She (U vt, Wt-Knis'^ a 
biy stores hardware; srsd/c-r sottvvare ussd to Implement 
tJ^s iftvsntfon and tns OS ssecefits; si^iiss so -JxaiXiis dasa 

$0 tvicxjui<5 ID snuy for an !jn»<;!<. Ksy for the cis5a, in this 
csiSiS ihs dsta is pfoisc-t5<i via mcyfiXm or p&tihi m- 
crypiiOii using ths corr-ssporidsng Key: arid hsncs csrs 
trseiy distrsijutsci witnoat imr of piracy. Once paym&-sj 
is tTi3d6. da*KitJ&se ef?tfy con^ponding sotf)& irij$l- 
ssd mcdui&'s ID wiiS b« ypdsted wiih ihts H^y. Wf^st? the 
osi-r w?sh8s |o riJn Ssb afs>ifcatfcs}, Itie Hsy ^« 
irfev«d tc5:alj«w tfjss^ata 5c! be ynk5ske<S; Th& K<5sy rtmy 
is>en ho ssored if} the tsmpsr-preof dwics so Shai she 
dats&ass lock-up nssd only happsti once, Howsvsr, in 
iicsnsing n'scxisis A'hsrs iloatlns ik;sr»css are dssirsd, it 
wouis rnor^ sppiopfiSEs to store sudi ksys csiitraiiy 
and aiiow stccs&s oniy on sach SKScatiOTs, so that ths 
iit-sncs can ihm m restored to ths appropdafe group 
':>f 'jsis by ^incihe! user Thi-ss s f>-sodsi ^or iicsfjce 
cnsinge'' is pjovided. 

(00631 Acoo-d^ncjiy pf'JionJ snvsniion sxtsnds so 

ths !5asg tn wmch jhem ss opmm. mmrmtm mimsa 
thsificuftj SKScuk;!. lhesoi;v,'ais sssjcEJicrsndtf-eiriiSi' 



components ^ives great fisxibiliiy m licensing. Mosi c>b - 
viousiy. Si pfSfsofis! user's smast card vvould fee used In 
coirtijjnation an int§fnal Istfrspsr-proot dsvsce wShin 
me cof}^pLster On tnis, type 0I isc-ensing n~!QCisi, the soi}- 
i= wars? «?xscu!or or sscijre SKeciitof would run ths dsssa 
oiiiy ii a paflscuhsr smart card is pfsseft? (orosis of a s.s- 
i«5:k;£i gifiiiip oi ssTssrs csrcfe presef^t). 
(QOSSj 'ihii int8)ru3! t!U?jied !Ticdij!« fionSatris s irusicd 
rtjachine kSsfitfty. and the po;iai>;«: iruisseci -riodt;!-? (:;■! 
tnis c.a8«: a smart e«3:fd) fx;i-:ti:l?-;s a;-; idsi-n-iiy s,p.^c:l^^; !o 
ths user fwhich could be ;siiih«n;!c:5S-.;« 'itm .s': ^nc.or- 
poraisti teiomfit;-;c deviCiSj. Many dffisrsni ways is- 

is p;wrs in ihs iollowing sectiofil and ihssis are anaio- 
■'5 coifs ic! ihe optt&ns pies«nted m ihe Fisi^rrsc: Emboci- 
sTssnS'ssctior^. Ths diifersncssafa ihat, according to {ii« 
pai^Jeaiar fnoiSsi Ir!f5plsr?^erit«3; 

♦ Th& srnad cariJ idsntst;/ is invoivsd ni Ihe JtciJnsisKj 
so ci'seek .carissd cui ijy !he s«;cure sxecuJor or sell- 
sxacuioj, rasi'iijr Shan il'ss iniiinial rfsacSTino 

Iho secure execuiof v/i-ic^" isq^.-ii-'ig sno i:n:0<.":i< Ksy 
io (a) copy sha unlocl-; key in an encrypted iofrr; io 
tie tfusied rrjoduie, by ths smart csfd snciypiing tt 
V* using the irysted rrjodu js's. publ ic key: or {b) use tbo 
unkseK k&f trsm thessf^art cmQ dlrisefly.: 

» There: s»sot^i<s:^tfeatiai:P!t)eswe5in the is-sSiSfr-ssitrust-sd 
fi^csdaie afKS the sffJatt esf^S^ AygiensiCsSSion isetwsen 

ss {he srfUift card arid Srtisfed rn&disie is carfied oyt at 
She sta§8 at which the srfBtl card ia ^setted. and 
She ciirrent smsd card ID istemporadiy siored mih- 
m the trusted {Tioduie^ to be used tor the Sicensing 
check in th& $am^ vi^y as the trsjsted module \0 

^0 wouid have beer? used in the iicensing n-tocsels de- 
scfsbed in thi^iioeyinent (see Sxanipies. B and F 
dsseriSsed later). When the sn^isr! card is removed. 
Of (with sin^ie Sign on) tns user iogs out this tef?-*- 
pOi-SiiV smart card iD valus vvithin ths Srusted mod- 

^$ «ie is; f sss? to a nui! vaiaei 



lemai rriacj-iirts tfKsisd mociute asid s pof^abts ErvisJsc 
iTiodute {cs«ci \M sscurs exscLstor arsd sotEvvsfs ssxsicy- 
lot'i to &S!-tof{V! Sicsncs checking !;gs>sd ;!^3 jsi&j scsn- 
tsssociaisd Wiin ths (joilv^bis tfustsa n-iotsufe. 

whk-h WiS bo ciS&Jftbed m '-^O'O oftts- t\->ovo 5h<j 

* jh«5 f;otppytsrpl«fer(T^ Is rngssisced with a Jhifcipjsfty 
C, OfisiotJsiV. C is \ho trusted tJKxSufe iD or 



vvlf'n daia; and 



3- A !• tHiS s-uccfi3<a; 



iM c-r a sman card; asscsc-i&tecf v^'ith tns ressvant da- 



» cteia 8no)ypf«0 yssnsj s i<.tJV K ami ar^y a^iscxiatso 
so^w<?f& 8>i<scm is S!gf^«d undar O's pfivsite coos 
Siisniog key aod ssn? toy C ioths tfustsd f?>;x}i;ts: and 

finodute iDof snsan card sD. 



100723 ir> y«t snothsr form: 



d8!;=i ami S!f:i5.oci;:t5.d -so'lv/.a^^ exscuto" is 
^;(in«;i i,;x,-sr C s pf;va;;? cc>:^e Siqninc} K«y and mfil 



pfwa{« cods Siloing Key «rx; ; cy C to sns {asst^d 

IhS mteK k?5y cotrespOTdiJ-scj to K is tncypUK! by 
C iJ$H>9 §-s8 tf»sSiS<j rfiodyie's pubjtc Koy, sijiftsd 
C's private ootie sigr-i^rsg H«y,. and ssfit to the 

Jiis key transffiif cods decrypts the unlock ksy 
chsc-ks inisgrity and tiis sfgsiatijrs. aod mss key ss 
th^n siojsd !!"! tr>e kuslSKj nioduis associatsd m\h 
\hii rslsvans eats. 



[00733 A spgcif io sfT)bod>r?ieiit o? me s^rssent irwmtion 
wlii now bs <^©scrib8ti. pufoly by way of exacnpte, with 
refsf^-ics to \hB accompav/iiig drawings tn wnjcii: 

Figyrig 1 is a dSigrsm 'A-hici-- shovrf ihe 

fnsAh&rt^'V Q- compiJiiri-g apps- 
fHtus adapUid !o ificiuds a uusiod 
devicesRdasdescfibad in the pri< 
or paions iJf^ilcstioo fnenfiofied 
above; 

Rsiirs 2 i& a c!iagf&^ iMilch si^^ows rt mors 

detail liie ifusisd dwics s-ho^vn S!t 

Figurs 1: 



«n un'.ojN. koy !S •janssiccGd fsotn C to sho end ujof 
o! ibo corr^pyisf pfettonTS o( *c tn§ corrspyi&f piat- 
torn: 

the key •s^-.nsfer c<::de caict-'i^stos ihe decryption Key 
cc-'fesponOaiq to K (rorn >iie f.irtoci< key, ihs trusted 



diagrafi! which itestrates 
a i:- voJvsd in acqtiinds an 

rr^OitiC of the {50!T>pUtiftg 
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ifcafsons bsiws^fi a {rust- 
ed cofTipiiling piattorfn snd & 

8dpiat?owi v<5fifyf!-iQ sis sni&gnty 

subjecj of Jinoiher psseni appiscs- 
nor. {applisanrs foj 30030088) 
having xm snirtm {iisf^g eSfsis «s the 

i;? a s;.!5a!rfi:;ic block d^agfsrn a 



a tfsj&jsd dsvics which is 
sppiicau'on mssitionsd asx-vg wiii 5:- 
mih rsfsrsncs to Rgufss 1 to 6, 
|8Q?Sj That Sippficalios-! describes 
mo a cotripusinci piijtksfn £sf 
<H (jx!ii^ii« whcKje Kificiioi> is U> bsrsd 
pla^?c«n so rsHiabiy rnssiisut-K} dais, th 
tegf isy rofttrsc she piaJsOf-rs Tfi.j Kh; 
ti-y s^j^iJ!? ;;ofni:«}!<5d <\' s (frSi 
by a -riisU-d pany iTP; Shai i« p;<^p 

!!T;p!icai!<;.<? f& ihai s5 lesst pari oi Ihs 



ihs prior patsftt 
iy b<3: descfibsc! 



ihs incofposatiOft 
sd dsvice 
she sdsritHy tss 
ii pfovicias an s-s- 

va!y«s provided 
;Ki !<:,- votich ?Df ihs 
'«ateh, li-?s5 

of ihs iotsgriiy 



iitosttaies iht* k;sn«it ot 3 proiiX-ot 
daia uoiliised m tesystsm of Fig- 



Figure 1 S i« s ciivag«;m oi th(5 iogtcai con-spo- 

sysSam of i^igurS: 14; 

FigiJifa IS illasicate& Sh© sifXfeSifte of protect- 

of Fi§a'g14; 

r igufS; 1 ? is a fbw ilisjsSrstsng in.s{&jiing 

5a 0!-! 1i-;5? sys'sm of Figure 14; 
Fjgiffa 18 is 3 How chi5:t sSfystrstsng $hs use 

of(8 mo<J-^>i 01 Sicsncs ehscl^ing: 



systerrt of F fgum 1 4 wpksymg m- 
cjtser fr>ode) of iicsrscs; chaeking; 

Figuiss 20 IS a ffovu ctefl iiiusiraUrsg the y>o 

0! pfotectedsonwsreo! -cssta m the 
syslSM-n of r-«)uo 14 tJ-rfpiojfKKs a 
fiiithat sTiodtj! <;! fexiocs; chsKkif;;.^ . 

i0074| Bsioftj dessC-rtbsrsg the s-n'stjod-n'ssnt of ihe 



Tfns seoay5<s ih© mm ii usis ins ar-iiily. Tho $n • 
tha piatfotm bacsusait has prss'iousiy vtiiidai • 
s ideniisy &ncs sJeiafn^ioad She propo? iniagrlty me}- 



pa??} Oms 8 u§af has asJablisiH'dtf wstad op<5ir^!io{^ 
c; the piajtom), ha ^xchaftges oth^r (ia-a tt\B piai- 
form. For 8 loeal ysejvihe «xshaaga tnt^jht b« by ims!> 

ss acting with sorna soitware isppiicstioo sxioniog of^ tiss 
plafefn For a mmlo user, lh« exchanus fnlght: invafvo 
assourstransactfors. in sShSf case. Ihsdatasxchsng^d 
fe 's^gnsd* by the srysted device, Tns usar can th«n havs 
greater ccrsfidenoe that data is bsin^ sxchss-iged with a 

^0 psalfof!?! whose bahaviouf can bs itustsd. 

Tiia tfijsisd cie*,'ica ysas aypsog'rtphic proc- 
esses huS cfoas nos nacess^^sfi'V provfda an e;^safn^•J iiv 
tertaoa fo those crypto^rapj-siv piocsssiss. Auo. ,s rtv^n 
Of<^ -Of rv-ftv^V?*, is t 

inaoiiasssbse to osbsi pia5foi-n-( lynidiorts ancJ psaviOs j^rs 
' >l' -inl iy .!u > ^ 



theiretofg; pfeterab^y 
fienl inai is Ea^Tssiigsis;-: 

tsshosj^as ii-!cii.id8 snsihi 

itl8?!'iq iS«: -t X-s' 0! 5.3 ^ <C---' 



Oo'ac;i;-!ii Ttie trusted deviea. 
oivjisu one physical compo- 



1l 



m 



o'^ti tit p '>} n s( -i" ^ 
|,0080j hst JJuV{,s Cv,-!^*--- hy^-ft. CIS 

h ■> )! f <^ rvtr> tit -« % > tjf o? the !->! ' 



V 



■> n!-^ ! i vvOVfOkjcby rti'^ts-^Qo 

" t nj" V ^.t^t of ov« *<j hs »i« Uo>'n sp^^ 

<, o ! i -i iv K V ^ -^ orna! ^ > SK BiO" 
1. ! * 3 ' ^' «3<} ' •> i\ 9f * ) h < vV f? 

uvlO^tvi »h^)cSdtHC e<t3cJ hovv ^ 

|00$4][ Cte3ifH iiwor cofrv^ri ? o i^tiprorsovi c 

c <iypd id v" '^by hft rran oroses or > dt 



C 1i® csiiJ iCf>to S'i ur r» I«t5 * a p>jb fc ey -if 
ro)'-' !<it g' >, f nc 04 lited by -s UpJoi 

•sof rdsx -^r -^sW of m wn* to the -icq 

me -ns h-jd i -^Ny orinq sso (« s l g^tv n>t. tr 
o, 1,011 ot. i rt<) i.^ 'f^'tif % 1> vdb i. ){ } <3'^s>,c " 0 



IS 
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1 h t -) > f -ii -^on *5> ""y f4S J- ^ 



% i&J ^-j -^n^ * ^^-"i! ten*. V ■> *>C!i)j""Ofi 



It 



fKT^ ^ <^ !" -nwo ia<^«Mto o so foe 

tv J} c r!« n p!o^«w«f 11 the '> rim p ^>C(js¥o i f •^t'OS 

41 J •'iSiasss'd '^fpfxs ffi<|fcvtf^ T!-!'^ pweoteO"- * 
c ih u t- ir 11 -"p ■) i ->'"xs«sot 



=5 J -V "^.iO 



is. t,s^ I ♦ < hi J i if i) ^ * i: »n 

(OOSai Op! at t / <>\ < M ( 0 '>< CP « ^ '•■^ 

v*-fSproos''vaws A<Jdi>o Of S^snAlsfty giw<*t 
ec! ICS 4 fjsa f«s, sc> ^^^^ 8o<^'8 « vs rfnd noi 
pvdssj con --o! »f ck £5 BiOS t ifu<*tsd f'tviC'^ "4 

[01001 F<j rssfejiu {'■•^c ! to,? vjiadaf^ij/ a P 
■ne fv.»isc C5<^vk- l pco i^<^ <=it<''^ '"k 3 «, 3 u 
A » I aim '^'nstie o ^ ) " s <. 



1 



tnewj -sc Ssjet,*- tot 'i«.i> ^ici "fis 



U S V >K f V- t St fe'^^ \ 1 H 

f c \ > t. ! f^t " % f} " t( \\h 



Htit„ Sarto 5 !<J ft \ \H 



I ni>-'c^im<\:> ot-~- a-A^ Vifwt 



cults j>i&JCf<tH 8 <^ r>nrf v*o»v)tiJh8 
*fiJSi<5<? -}s¥ic« 14 -sl^'^ (5 s r-^ <j feci n >^k.rx> ^c?5oa c 
1U The nsi-^oTi <::^ w rt '^c cQri '^ai o ho i t«Q 

^0104] «^ <n'' p ! Hut -^rr f no{h*^GN 



pate-" ■ippitcatto'^ r'-^m v -s? f h > ng "ic 

\<!d<*c> rv* red" ftd by<"i^'' dat-^ /f^fss n 16 » 0 
s y { 8^ i i im u<* \« «*!«t)V« -sn -si t <. 



V 



f V 



i 1 C i so ncl d s li -skf 

f^t r ( o !i ht- f!vf! 
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fivj'^:;:0i\-3: con irf^UiijcaJiori p^^^s 122 isub-rsfetreirscecj 

k ' ' . U ^ X'i^'r.Q CPU lCi;, '-ii'-aaiK CJffVS iC4 

^iiid Liis jed ?.on^ ! }4 o? ns^votk ifiJsftace card 196 
By way csi sx*(fnpSs ihs tfustsd nKsiute 120 doss not 
have siich s ssparMe 8ddit!Oi"s«ii co-n-viu'-iicstoi path 
122 the •Tstsj-riofy 1C5B 

f 01 1 3) The trusted imixiy 1 20 csn (»!-n!ri«n(G;jto wl!^ 
•he CPU 10?, hi-rd dfsH dws '^04 and !ed joms of 
!h{i f-istwork srs-sfJaaj catd 106 via ihsj adciiuofsas (X->f?>- 
fntir-.!C.«j!on psihs l2§8.b.c. f!jspi5c.ilv$iy it om «i30 
Cfji-Rsr-uriiaMs WEh ihe CPU 102. fjsfd <se>K f5riv;j 104 
bSssck xoris n8 of 5hsi nsiwat-t tfSsstfjee cafd "SSS md 
'V " Pv X 10^ . i'^ 0 1?-- ^orTi sICFt 
1 lO The tfusuxl n'Kxii.iis 'sSO --.lisa rfc! «s a lOOV?^ 

c:Of!:!sos Gl a poiicy sk"fsd srs irusisd •rioduls Tha 
tatsi-id iTiodulis iSO can sfeo got'ses'al* C'vpSograpinss 
keys S'ld di-;.;fib(;!o ■tic >o k.jys; iotfia CPU lOii ti;a l-afd 
d>!Vi: ■! i'- if) ■! -xi /ens 1i4 oS the nstwrfe 'sf\- 
tostes; cvt:^ ■ C.-fi .xicditosS ftornrfumfcgtion pst^s 

rO1 1 4j Figure S iiiusir^iies ihs physsciji sfchiisc.;i..fc o- 
ihs '.fu^'sd fn<xi j'« "i^O, A f:r >t svv(tcf:«"8 srHPf"*; -~ 
c>cjr-!r-;sci8ci sep&raisiy 1o rss addfliorsal corfitr!!,iri;«;(:of) 
pali-i3 !2ga.b,c also an 's\\mm\ cotm^iir-sscstlon 
p«th 126 03 ifis trnm^^ module 120. This swiiohing ori- 
gin's 1 24 is ontisf conirol of a policy tedsd ioio ihs irasi- 
sd sr)Od«!s ISO Othsf «oft\»ORsn{$ ol Shs trusted nrsod- 



3 1 g$ mat m^nggss iii$ xmsiM 
jTiodute 1 20 anci jj^rforms ^ctmml piijpose co-'opul- 

for ih« irystad rrfodys® 120; 
voialiis rr.smory thai stores lomporsry dais; 
non-voifiS:i<? niernory 13£tn&1 stores fensifiiWdste: 
^"•>o*vCsf.^!:" ^ cna.f50s ^34 thai perlorrs-* sp8&<dt!St 
crypto ki!K.t:ons sucn as srsc^^tior! and key gemr- 

8 random ?>ufnbor so^rcs? 1 36 used pr irriariiy ir? cryp- 
to opomjisns: 

a s5co;xi s^wtScf-liig srsgsns -JSS WW. coortecSs the 
!;:.;:;'<xi ■■ix>-5;.j.? 1^:0 ic th* C0fr!tiiL»iiC8!«ti 



Tr.stfysieia n-iOdoie i20 dfsmbutes seiscted keys so 1^$ 
CPU 102. hard dssK drivo ;04 and ths rsd ^05^^ 114 ot 
lbs iissvsork is"!tsri"<3C€- card 1 06 ti&ngihe addrtionaf cojrr 
municssliofi paths t22afci,c, rsspsotsysiy ratter ihan th& 
s norft-sssl ccj-vm^unicatsons paihs. 110. Kays n-say be osad 
for canrrsuiiic&sions batwsoft tha l;i;eiY>a1 niod^iios 
102.104.106,120 of the plaJtorrr! over ihe norrriat coJi^i - 
mur-teatien paths 110 Othar tefYiposasy keys jrsay be 
i.md {by iha naiwork ff}!<S!faoe card 1 06 of CPU 102 s 5o?' 
feyik anc-fypiw Of dactypilon of oxtaraai data (.ising lha 
SSL prolocoi altar }h« trusisd moduie 120 has cosi^ptet- 
sd SSL hsindshsiksnii phiis.s; t^;3^ si'saa 
r<<>n y j<^vK ^ S a > \ "> < "* < >s!j^i = 
trsstsdfnoduis 1 20. Othsr isrnporary keys f?iay used 

revealed !t~;sida Jhs SrLS&ied nicoiiie 120 Lissng iongtarsTi 

IP 1 1 ?| ] n-ijstijd rr^iXi-.jia 1 .?0 enJo-cDs, j.o' icv conSsoi 
ova' <o ■■I'^x, ^ !. -V s>ri\vc ^ r !.o by ' s " v"!\ o 

f» ppsrso? rnoduias by rstusin* 

;»-5c.U!a ccivar>ynic;at(ons ovar tJio shaisd infrastractufs 
i : 0 isaswsof^ Siosa pasrs of rrscduias 
[011^ Figara S liiusiraJss a process fey which ih« 
trusted modyl« 120 can parfofrrs a isfatohdog fanctbn 
and 'ping' the modySas i02, 104,106 connactad to tii$ 
additionai comffiurticatbn path* 122 Tt\& Srasted rjsxi- 
iiUt gsmrdt&$ a chatfeaga 142 and sands it to she CPU 
1f52. hsfj^ScfisKddve 104 arid raa^JOsi^ ii 4 oS than«swotfe 
^isdac^ catd 106 using sh« additional co}irifnantc:alto 

35 patfts i,22a,S5.o, raspactiyaiy. Each of she CPU 102. rrard 
disk dttif<s 1 04 and osswof k intsr ?aca ea??^ 1 06 rasponds: 
wsifi a response 144s,b,o, respsolive^. on she rsspoc- 
Xm additionas commynioasiosi path 1 2ga<!3,o to say 
w'^ather the raspsotive rrjoduSa isaotivg, and preferabty 

*c thst tj-is )7^od>.!la ss. acling pfopeny Ti-;S Uustsd rr-odula 
ISO notas t.ha }§5;ponsas !.44abc >n!Xi l^sos- -hof^--. as 
mayics fis raspo^iaos^ to intaofi-v gss- a^a 
dssoriDsd abov:> wiii- \V:r;-:>;-;r^ ;o F i lo6 
1,0119} t-tt^m- ■ -ii:, i- •? ■::--Xs:i^. :x' wbiC'^ ip- 
oofSiinsj ^>;<;€^tn.sl ■x.;■^•^;^ !r-?s;-,x,-:i p ■.x.^^;iid vfiri^, 
the t!-u=5f«d r(>-xii..:o '■: k'Q is, tns oniy f!x>di.iifi !0 !hs>pi!=sr;c.nr, 



aiwfsan giv- 
«kayst!"t3tsnabis 



2S 
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Indicsiion to th$ red zons n4 o5 isis r>ef\TOrK iitisrfacs 

Ins network iniSfJat'S card iOS Uisfs ssnds A pfolocof 
data unit 1S2 contsthirsg soms csata ssftd & mcjis&sf ?of 
ciscryptcrt Joths tf-js}sd !-ncduis 120 ihs riorn-ssji 
cofr!)r^lJnicasio« pashs 110. Ths Usjsleti modute !20de~ 
orypis th« (fete using ©ithsf lefT^porary or lon^tetri^f kijys 

•,5 ;.if:!5 ;?4 ■x ni-siriins She dwyptefS Oass to ftw CPU 

CPU I'ji-.'.^S. ^PpfOfiSWiiS {)CtfCJ!-. 

|0120| FsgiJi-s 1 i i;iL;s(f3t«:S ii i> pfiX;Sss by "vhich ih& 



» S!i (dsnJ-nsf !"ieid 1 6S inciicatisi-g ths type ot m«! pre- 

tocos dsiayntt: 
* s tef'sgsh tssSd 170 indscTitng ti^s sss^gti^ of she prcto- 

coi data unit; 

» 3 soijfet' field 1 ?g indicsrfing the £;oiif08 ot \M pro- 

iocoi data unit: 
» 55 dijstioatjixi tsj-id ■574 srsdicsising xhii desSsrsaiKisroi 

Iba pfotocoi date sji-siu 
» §o oi>, itwluding b> ffs-aoy csijes a ifete fijJki 1 76. 

101271 Mo! .stti fis^ds afs s-iwaysj ti8s«ssafy. For sxarii- 
-^.iij, tj'sj.fjoi-rg iUti jv>!:c V '■-4 iis -r x- . o ' : t'V 

i- (N'fj lit" Hji-^ J ^. , ^ '.^-N ^ c-fi, ' 



HSfsrencstoFig 



!!5 fiKj-jes; ■ SS ticcaidav 



siijy isction. Oin^fv/isQ, it abantJons iho procsss. 
[0121] Figyre t2 iitustfstsSiS a« ©xsfnpte ot ttis assitfd 
of poticy ov^ir pfotectsd ccmmunlcations Pslwssrs the 
oicd^i 4. 02 3* tOS At otr^co-^r jm-^tio'^s r^^''- s 
i5X*!f^>p}Si use lh« additiom! cortUTtofsic^iitfo?-! pat^s 122 
Tr?9 «J« sofse 1U csf g-i-* network iotef^sse card 106 
ssrisSs S5 pfotcsol dats una ISO ttat ss dsstinsiS.lof She 
hasd dissh dfivs 10-^ to t.Hs Sivstsd tr^tsle 120 on th« 
tsddilioftat jfesia path i23fi. In ihs cass where ths p^^lcy 
doss not psfiTiii tt^is, ths irustsd modtits tSO dsnisstfie 
request by ssnding a pr^oeot data ijnjt tSS ccs>laN«§ 
s dsnis! io the nstASfofft intsf^acs <iafd 10B on the addi- 
ti0!-.3! data patn 1 2gc. L^l sf. thss CPU 1 0g f sqagsts ssn- 
s-itive data ffooi the f-sard disk dfivs 104 py sending a 
prc'ojoi d.s!ta addfssssd to the ^^'C (ihk&m 

biA Bm: m tns addif lonai data pa?b 1 iZa to tns tfustsd 
modijis "1SQ, "ihs fajitfsd =-EK>G!ji55 checss that tm; 

mocfote iSO retsysihe ^fottsxs data u«* 184. iotnshard 



4 psov: 



•Ok 0! li-xti: •! 76 by wiisch data )S p;ij«i3d ovs; ttrs adds- 
•iC'is;- .^::i^-^iL=■:^catlO^■! patns TS2 vhe da'stptotocoi ui-sit 



connsded to the tfusssd rrrodm rSO by means ol ons 
laSd ot tn$ aodiisoftai cor?;}r,unicatior!S patns as da- 
scribed isbove This sriabtss tPo trusted fnoduls 1 20 to 

V* reliaisSy write to tne dsspiay. vvitsiout fear of subversion 
korn ftormai software, inducting ihe sspetatiag system. 
A?so. S^ie fio^ isjftiput«r 1 00 is connsptfiid ioa K^ybcsefd 
if5i ttias has s bijHt'lfi ssTian card f«8der tos, oJ 
Vii^T:ish twnscted to the ftotirsa! eoirsmuniealiofis 

ss psxhs 11 C. A emast <SMd wf jkH is inserlod into She .srrjatj 
card rmOm 105 fissn be coosidararf ts> be tsr^ additional 
trustsd moctuis and is therefore abis to oonirai^nfcste ss- 
eursiy witb fee trusted moda is 1 20. 
pt^B} Figtjfs IS ititjstratos a iogica! diagrann of ttis 
oornponsnts of the tft<stsd moduie 120 c-Oirspdsing 
cmmg code cojTipoftonts £00 and oUisf i-censmg data 
comporisnts 202 wstnin fhsj trvs&tod n;i>dui« ;£0 Ths 
osnsing cods co;ripor-ft:"t'5 :?0C- iu-: wiLf'i--: ^r. p:C[-iC\n;a 
mmmmml. as pfsi/fously dsscs'i&sd. and pfsfsrabty 
withift !iia trus,tsd ivioduie 120 ttSijif, Sfsd c.on->p; a ss- 



IS126] f-igufs/lS iSksstraIss tine i-isuctuss protected 
; sottwars or data 222 wjitisn itjs cSisr^i co!-<;p!iief i 00. Dig- 



m 



sioisd tm pubisc Key 228 o5 Jhs Jtustsd tvsxsafe 1 20. This 
st'ijcsum 230 is, stofsd Jogeihsr with a i^&shed vofsion 
232 of iS, SiQn«d witn the ctesriVsgnou^s or sevsicpsf's 
pfiVftis Key Tnere wjS t>s a stfsjtlufs «5r:Si0£3O^s t^s \he 

or sjpgrading aoftwao or o^her o'sisa os-sto Jhis ciierii pist- 
tot'-fi, te ti-s» 9etifi>f;3! c:qss w!wo the «i«cij!«i bsscSigf 206 
m«iy not be Rsnrsifsg wt^i?' she Jrustsd frscKiyfe 150. 
f01283 The dafe- to be irisisiiiod ij> hi}s;-i;;d jind signsd 



.'-andOfVi i-iymbsr ino;>c«), fv.id -.n step 26.+ muss « chai- 
isnc^/rsspcsrtss! to tiis sofsw&rs (jxscuior £26 corrs- 
^pondifi^ 10 ti^&i piece o? ctets(> by fi-isarisof sesidsng liie 
natcS: iocie;h6( with a tsi'evence to the appfetson s> g. 

.roixSijU; iSO. 

fS137j R>!ic:-v*ing fi3c«:jpS si step 266 -he tonwarss 
eKscytor 226. b> step 268 i! verifiss and 3!.iih8E^tic3ta'5 
t!& s(5e«f« 8)!«c«toj''s ctelteRge tis^j She pubijc key 
25B ot ihii lvM^6 s^^otfois 120. If ihers is an tsfror, or iS 



fQ12$] ! ^ i\ vv ^' J t 

.«jori, te-Jhs sseurs !C>«5a0t 206 thai She daia be insiaiisd, 

seridsf. thereby ai'seciong au-nsntication ol ih« ssrider 
imm] if aushfintjcation ihm in sisp 240 ih« se- 

.5J8P 246 fe'scuse ioisdsr 206 fiot^puEss ins o? 
tfis mess&ge. -m xm cryptogf^hfc capaisjlkfes svalfei- 
witJin th« sfustedrrtodyte i£0, and irs sts«j 24S com- 
pares it to the msssags hash that is assocs*aeti with Jhs 
daSa and \ffas fscsiv&d in st«p 2S6. This checks for in- 

10102} !5 the tehss are riOt Ihs Ihis sndicaiss 

ih85 tf)e<teta has bsso «ilsf§ci and ihs5 ti s^wld M foe 

insiaiSed. ioJhiscaso. !fsdi^250{hss$c:yfe}o4sder206 

s&nds nr. error rnessagstoihe OS, vsfjtcli irssn perfeffns 

s!eps 342,244 described sbovs. 

|01 33] if tne hsshss ars found to bs the same fr> step 

248. trser? Sii step 252 she trussed ?«oduie 120 inskes a 

;o<5 ci ihe ;nstf<!iat;on a'-sd in sisp SS-t shs sscLsra ioader 

206 mdicales to the OS lhas {he d;aia can &s !«st5{iied as 

nofiViai >vh;ch ihen h^ippsrss stsp 25S. 

(0134) !■■ 'y^r-ii! io;vfi'5 o? chack fp^siticuiafly iicersce 



ihe data mt<i optjonaisy s iicsosjnQ finxtef The 
x..f^i-j: is< )r(di;dsd to givs prolsctiori sgainst v^pHv^ &i- 



eriC- 



fnodel specified by ihe $oHw<ire «xecys<sf. This may m- 
voive yniccklng th« data using a i<8y. Fwdher detaiis of 

V* ihsse ilcensffig nxsseis &r« conydsred -atsf !t Shetc js 
m Sft*sv«sifs exscuiof associated wilh the dala, iha se- 
cure «se£>;jtor ir!ak:« s !«:or>5;:;-!g ci-:i;ck corrijsporid-i.;^ 
to a defeyf- Sicerseing rnoctes pfsviotjsiy sei wiii-ii;^ i; py 
m adminfeJrator. if these is a valid iioefise, m step 264 

35 tf!8 sesi.ite sxeoufor 204 ask« ^ss tftsslsd mod^iis 1 80 to 
takes a tDeisfir5;g word of she iras^sactiosii, eJeps 
£66:2SS, and in siep 290 ssnds permissKiri fo the opsf- 
atlng sysSem io sxeciil® the cfeS&. Upors fscsipt in sfep 
SS£: tiis operafing systsn^ sxecutss fhs i3&ia in step 384. 

<*s Foliovi'inc) iics^H-ing ciiscii in step 282, i? thsfe is no 
va-sd iiciince i;^ s.i>:?& 295 ths secure sxesutor 204 asKS 
ths op--5:3(!;">g syjii-'f ;o ■"iOtisV ;i>s er^d-ussr sppfoprisffs- 

10{48f F-!§yre 19 * i;o-.v^ha!i '-x < s^-SS' 
*^ moiisi of Sice)iti«>cf)«>ck!;x-; wl-icrs.- i^x^ Ol^ conviXiPiO.-iVss- 
\*lth the sottvssrs os<5C!ji»rs.2J:6 (SJfusf than ti-ie secuf^i 

\ ' ~ >^ it ■> i'l *r 5 ■«£ \PW i- so iSi 50 c 

>;;xi s-.-'^^ v. :-.;-x«m5i;s{;3af)!ymo!jnffeivvt{h!nshe 



pfoiseiion oi that data. In is ssgsifi is tor ^snsral eass 
vvhat« »c.e<ns!n§ sottwafss not nec0ss<t-':iy moyni^d 
vyShin she tmstsd sr^odufe "t20. Tj-ss prc5cedurs fs as. foi- 



if 
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if! s?sp 30S she seen:® sxscySof 204 rrsskss ars appro- 
licsncs, shs« if! skip "10 ih& s;5«j!-s? sxecusor 20<4 re- 

cefismg nouites -m OS appfopnsi-siy, steps 

f01433 it thsfs is 51 vstiid iicojxs, thcso in sssp 31S ihs 
stKajre 8>i< cUor s - s^t '■-(.', «}> ) < o f m! 'xs 
ihe nonce ar><j \- d iks -jiU'xr on 

120. This nenoe jnctud^d fo gsve pfoisciiOii aQSinst 



i^K-iga o>Qd«i oi i!C&!-'.CB checking as. .^^or-tsonsd ?»J5oy«i, 

modviie 120, ajid she Sr«sfed trsodijis 120 acis as a 
isriSQe bsJwfisn an appiicato and Jh« OS. Ths process 
!& sisvitiar to tiiat givsn i« f-sgurs 18. axcs&J that Ihs ss- 
ctim i>xe;;«!af 204 ts wiU-isrs sKg Srtj;5tsdr!>xJuis 120 itsei! 
Kod ihe seciJfS «Six:uk>f 120 sj-jes c:o!T;rntjn!C<)i!on 
122 (pr8isf;5b?y disdk:«^«;d; !"!<::-;ri ifvj InsiWi^ vKxiuB 
ISO to the CPU 102 iffwf! ocj;rin-::.if!i';:-.;:in;i w;;.;. ;h:5 0$, 
fS1471 Thsrs are n<3(V/ d;ff«!i;:-ii 'A^isvs. if! v.-i-^icn Shis :!V 
vsjr.SKi!-! csin be i«5ed D«?!ssik> oi n-x ot itiiii now bn 



22ir 



i^3tcd 



V. I V s. ^ c X'? <«r ^ 'Of nsssag^ as ^p- 

sropri«s$, siops 314.31S, 

|01 4SJ in 45 p? sf sif ijd fTiSchsrsism for enforetng checks 
on p^tmission to ^mom digksi csssa, she tfusssd mod- 
gis 120. ificiodes ihs hsfdwars and/or si<j!'es ths son- 
ware ussci to i«ip!8f}-!8nS tho iiiveriiion. in particular, Ihs 
5rt^t«!S mc:<5ySs 120 »cis ss a budg^i between an (t^ph- 
cmion fim 1h« OS. Ths OS pieistabiy i;;riores sSi re- 
quest?- to icsdtx rm applications excopt those tmr\ l\w 
■rustsd rriwiyte 120. givsri via a corrifrtynicatsa'is path 
122 betwseo tl^ifi Sru3i«d moduSo 120 srici ttw CPU 102 
thai IS prg!Sfa% inaccessibis to cs^dinary applfcatiorss 
anti nori-OS sofswam. The pfocs&ses operating on the 
ho&s <5ompijtsr are as toJiovtiS. Psrst. thsre is an inSfeai m- 
Qijsst to the tfustscs moduis 120 to exacufe an appSica- 
lioii Of csJhSii (^la pmferabiy vis Ihs ^ottwars &xscutof 
226 f-ssocisteci with this sfela. isnti usyafiy in rssponss 
to i-ovTid action 'oy >rri Vhs s-otivvars sxscutor 

:>;:6 !■ c ent,^ tne r'>.:j>^ r-a iste- 228 at ths t.-sist- 
sa moduie. 120 ers whsh the ds?a is instaiied or to: Ssa 



20'- wili convisy iiiss ifitojTnssiicn ;o ihe OB via a comm* 



iioi^siiy into ths isoTps'-i^ssisisni hardwars. v^i-s^rs 8 
vwyid run}, Ths soUvvsf;? ""i-'ignsy ci-;3c.k0d ysino 
thssscws loader, API sfs i.;ssd ;oth$tn;st3d mod- 
ale to check fos she prsssncs ot a soc^st ir- she umm 

V* models s>r drtrnk for ths^ idensiiy and pressnce of sh$ 
trusisd modiJtSt. in addition sha tfij^isd moduis oan be 
mads to asctjcuta pad of -i-i^:- ;x.cie Sue--:;; auUisnticatsosi 
c; tmstsd fvxxsuio is possiijie by uatr-q the trusted 
r(^iy;e'$ privato ctyptogfspiiic i^gy, and standard m- 

M tb&nttsisaiofipsot^jcotsi 

IPISO] In acfeSfiion, there ars the foliowing q5U0f^3: 

* APi caiis oan be rnada 50 tiia trusted modsiSs irtstsad 
oflhaOS lasdiscusssdeafiigfl: 

* Tiie trusts fl-soduts can bs mam to exacuts pari of 
the oode. This can bs dons s-j sev^fat >vays. somo 
of winici-s havs 8ires;dv feo^jn d^sjiysscid. 



P&dof thftocdecoukib: 



isffi it may i)s 
■^iss5« to this 



3<S to SXSCtUS 



: ptst] Th.6 us8:o|-.mi* n>6lh«d i«thsr than th« ao&to- 
CjO!.«i tiS5; o! ..*;Pi o;iM to a harcivvatfi dt^Kjio coi^rilsss 
rsiany r4 ''sc d{i...?c;vr.'!!^i90j; nonYsaliy associated mxh 
tnss approach 



10\S2} Fifst, Jracilionai sotlwars proseciiors ifsing API 
csj:!s to 8 liardvva's dOi-sgiei :s vumfsbte to cnociSio'iUOfi 
of softvsfStre (ocks vfe a dsfcitggsr ({or sxarnpis. by step- 

1^8 moihsfboaro"} Cf disassen-sbfef; thu* s!?€f{«8 th^ 
cocJs to fsjncve csMs to the key. S^oditisd copiss ot She 
o'xira a-« prodyo«cS, snd suj-s fteoly. both or> SfK; host irn'i- 
chif-isancicrs othsr trsjishinss. This may h§ wxifitered srt 

* Psf ! of She cfxfe being run within 5he ii iisJet^ mcxli}S« 



A sottwars sxscutof wiii gsnss-aSiy only ^aKs a 
ohsck at rufstin-is; iXirther APi cails vvsthin tiie 
oods cm b0 o-ssdss at various stasis aamq sx- 

gsngnsS way for she sofswsfe « ssch cystofirs- 
sf Wisi fficsjK'S t^is sartia vsfsbfi). and cystojri- 
'm6 ctefaiis sych as jhe otscI uxisi^c; mcsJi-ila 
ID tar! b« adt5«d i^-et. ;si she rogis-wjlio^ slags 



ing cods musl be tcjadsci logsther with th§ sottvwsfs. 
;5rvd p!«5vont iicsncs cnscks from t3<sif?g feyosssecs 

in io-r •r c.; she ;r«<iS!!-;Cj t^jnctitxtairfy of procs-ssiriji 
r -v- '-.fi iiJjKliivafS. ! h)S !S countersd ^ this nneJh- 
S;v fjU^^i iiv Cf-ifichs. ori m& SiSfswsfSs arid or! &;eocs- 



•jxitJifify in the 
>«d!-!Otfcssf!«d 



*tk5l*'-o ' j> ^a. <,!r- s,-^ cafcn am if? 

1ioft sEcrage, snci i>8tte? (nslsfsng. 
|01 SS} f=ifi8!iy; tiiefs;%f 0:<s(ffOi1-fei8t«(5 g8s?>-s tor tm^- 
vsJopsr. Th$ iijineiils of ^^Siditioo of APi sstlW to Xh& soft- 
waf 3 mi} ihai tha soitwars js cystosffi&5<^ fof a pafiiouiar 
fnjschitse, artd i>gfwe not irfifrs«5(iiai8iy of b&mfa on m~ 
ot^s&f fnachirsa^ mm sf the (jx«sc«i,sfci8 or soufCiS oocJe 
*'8f8 obtsiirisc! In ctear,: HovsfSVsriSlears riss^uif&subsJsn^ 
siai effort or^ ths part of ths dsvsiopsr Sy the only differ- 
S!>c-s bsing s diSsfss-!} f rusted snodule ID, Wftti pfoteotioh 
via iotsgrity-chsokiiiq of ccfcis ^ussta'-iSia! pfcisclion cart 
tss ^6isd v«:}y istis 8fio« by ihs? asv^loper Agj-iir;, 
r:jf?n!r?s par; of ths coos witr-n u-ss ifysfed modtiis? stssjsf 
does nci rs^Mir^s •f^3;vidusi cu^ton'issatsOi^ o? axis. 
fClsei ihis v^xarr::>■c - 



i:>a>b:r 



li-!S{3rt AP! Ctjiis Kito it>«5 sof^Vrffy, arxi'Of irUo y 
J SKscutof associsttsd wat^ ihs soft- 



dated vvlth tsis dys^ So<5?i!5 

tsr piatsbrm ifi^S S" c Konc- 

sP -rscdute or soavj oshe; 

ttsed For ex-h-vipie i ;: 
Cfst.sc.k.w) or :iC!5ns!r:ctm^ 



Sfjs secres. -t :s Sound ijjotsci vysihs's tfis sufrejrS 
siT-;art card of iniSiTjas irysisd cofi^coriss-ss Sf?e 
macfiii^s, Tns! seoijm sxeciiSor wis! have a pro- 
soso: isr^i-Siorosi &<3x ijiiows is so carry otsf 'M. 
c'-cck, arid wsis fjos sifow tf}$ softwafs --h \g rot- 



! hi, tiss'' resissers with fbs devoSoper, As sari ot sis<2 
tr hii pfOcj^'SS: auft^ntfca^iO;-: tiSSK-js-ii tos-r;- 
'>"wt?f>:^J^"!55 pgifiies wiff'SiST ths iicerisint; t.-ysrerr! v,!ii 
pfacs before (or at St)« mni; tsffts, ijy iha pro- 
foco 3 iJwg (twof porat«d) as sxchsfj^e of sessiof^ 
k*5vs Cf c.ori%tefifistiSy of raassaqes p-assad b$- 
twssi^ t"^sm fssesxasrspis Bfof furirig;dsita;&oi this 
proeess), Thetampar-ijroof ccsr^^ponsir:! is ssnt pSii;- 
te-Hsy v-Sftifscafes corrssponaitig to ths covsiopsr 
in 'gtjf^ for paymont (f ) he is cjiven tr^s gas^SffSiff;/ 
Cvisto*" itsed software together a postiafjte s^aro - 
mf^ fos-istasit devics (sisch a Si-^'-trs csfds cosv 
ij^-ft fiii (>jy stcsiBge or ^■:.sid-<;oO"-iC! Ij-if; dsvsiopftv's 
Sfe tsial Is ChscKed ior ;r: -n^; co;55: or i;ey si- 
trarssfsfred to his Sarnpsi -proof deviOij {for sjxssi^pls, 



ss dss 



} m his 



'^^r \ tfr> i::i=oisc<.j srvso u^c sottwaja orotjr 
ffi<sf AP csifs checKfos tr^isi parstcusas rriiaciisne ID} 
r!'~o l>"c softwsrs is shipped to l^im. 



Q de'veicper nas 



idt-ntiSy s«^d pr--5t-e!X0 O! a sarripei - 



If 
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cats w'im the sottefifs exscutcc 

Ths softwars and ihs cods dsscriDsd in ihs prsvt- 
ous {wo ste^^ss abovs srs signed by usirsg s hashed 
vsrs-Kjn 0} shs iri8ssa9s sfgnsd by ths sendsr^s prf- s 
v«ie fey .^ppsrtded fo {hs messsgs so ths re~ 
!;«ivsf car-! chfickthe sr-fegriiy of ihe ftwssagss. MOf« 
axpSscitiV; the ctevsiqiet l-siiskjs the 'X<J(? M, md 
sigfw )j wijh his private key (Sprk) lo pfodyce the 

k:-;3s5h£-r wish th« rf;S«iS??ge M. 




stiwg iSvUheniication Option?yly: fjppitcatiDns may 
Rfr! vvithif* a smsled srsodyis or ss-nsr? csrd. 
|01 S8j Ths gsnsrs! isdvantags ot such a iicsfis-ing &vs- 
l&yi Is that ihe ftexibsSity o1 iic&ncs fnafistgerrient syslSitis 
(..r ssj i-omsttcd Will" shs Qf>„!i'S( d!,^ o* *-!!^>tiv\<5.o 
secyfSV: without thadrsv^tbacks of dongiss 

systefti? &m coynkiifid as fcsjiow?;; 

» Sypassiiig oS iiofSfissrsg checS<s is cotinteryd by sin 
ifsicsgrity check <:-fi ttie pi?i'Jorrn, ^.vsiloh win if il^s 




fetsiis the sofswaf«. Thss ensures that modsf>ed soft- 
ware {e,0. wsthoyt APi ca^ls) csmoi sss fyrs: vjfijses 
ssre not IntrosSucsci, etc The software cm also l30 
Tnodifisa to stek for the pfssst^ss f« the pMtorm 

When t^& «ssrt!le§ lo ran the ss?s»arev teSQfK^«fe 
exeeyiof takes ovefats esfrtroj srxi rfjaSces: insliaf M 
sl-secKs at the sfett of ths esiscyrsa'^. i? tts©se ohecks 
8m::sat!Sisdi:lhS:Seitm?sexseutor allows thsso?!^ 
wars to fun. If addlt'son&l APt catis hsve been isicor- 
P&rsttsd into ths sottwsm, these ars msds to the 
S^jstsd i-nodois sji varsoiss points during ryfitifJis, 

A; Ihe sa;r,.-s tims as sucn checks ars m^sdS: a record 
is made an ms-iW^-i n-;ooii.;lo I? the softwars vsfSfe 
ex«.'CM!od fi'jccosifijiiy sn s-omsj rr^aieis o? payt^vasit 
thi ;js.s5& fi'pofts- ;-oi;!rf be s«« to the cssarlnts- *^ 
houso c-: -sgiitiistion bfxiy. Pay«^snt tot a csttstln 
o>jrnbsr ol sxeos^ttons o! goftvssm cetjid easity he 

f^XSfelferf. -5 Q. tJSirSg SfTiSSi O&fdS. 



[01671 Tiio i'v.cnd p:«-i)rj!S uses in-s ms\o<i fPod-.f!«J 




l«jsisd sdsotity (pfsvaj.-5 crypto key; :a uasd to penofrn 



Tr^ese is Sifrxtfetiay In psyfnsn! and li^^insrig modiMs 
((irtclydlt^g aliowirsg a combineitte of dfersnt types 
:sf licehsifTgi), 

There is an fmprovsnscnt uposi gensric dongSos 
sijch a§ Wave Systetr-jj VY^vsM-ites fn t^at tl aifcws 
avoidance of vif>iv«frsaf ey istei^- ksys nlihrn -he l-ssfd- 
mre device and allows l{?e secret keys of thiS de- 
vesopsf and ot the hardware to fefnssn sesret. This 
is especially irrjportant If the third psfties are rion- 
: tf asted s\fiQ& neishsr ihe clsarlnghsuss , mt my-^ 
one etss, vwiil bs able to triake t^ss ot the protected 
data, since they wit! not know ths tjntock Ksy, This 
is srs improvsnwii on cus-fsnt systs^^is. whess Ihis 
::ksy wsil l5«s kriowi-i by thts Gisariftghouss. 

modyfes avoids tne key (riarsap&f'^srst problem, 
Eash deveiopsr has si shoses o! ijithsf gsnsf ;c or 

SpJCtflO V)tv" < . V <\ >' "'^!>N^ \ -,1, 

bsdSIOfsnt lot -ssifii-! cijstomer :f ci-ssis&ci rsns gives 




about vvtsat typo c-f data pfotectiors hs v,>ou!d liks to 
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losmu o>. the sfirt-se. Ths ciiss-it plslfofm cioss rsot 
have to bs is^bffrisd about this choice. 

l&i&i} in {his sxan-ipls; 

♦ A jjsfiijfic s«5Ciii« sxsciJtoi; secure teactef and s?j- 

cofnsiytsr piaitorfn, Th$ cod?; mi\ noi ba tedisd 

jjiste cJiS-ot piafform -otsgfi-v chsfik si^Giiki SasLss 
d&scrifcsd previousiy this docusT-enl 



t N i V ii f) \ ^t^'- f» 

o! -session Keys Jo? corslidsntiailty of msss«s§«s, 

Atishmticati^si; Ihst® ]$■ sythsrstfcstton from C io ^ 
fhs disris*s tstmpsr-proof devica This is tos using 

pfotsefe a^PiH&t f isplsy atSaeksj; arid e ras^ene- 
ing wSh 8 msssage comairjlng this rsenc&: dlgiisliy ss 



thsfs is ^lithsniicsiiion irom A's {smpsr-proof de- 
vice tc C A pyblic Ksy csflsfscate giving the puiJisc 
fesy W cofrsspoiicssiiQ tc C's pnvsts cods sigMg 
ksy is {raiiifened to Ihs iiusisd cosr-ponent of ths 
snci'US&r ("in sons css&s (s g. upgsB&is) it ai- 



ihy, ajxl !he i-issgsfty oi tf 



sisci n-cdufe). 
jheck tns v'sm 
5 iiptjmds d8t? 



'hss is fer 



0 n-ia- 



Data eficryplec; usisig 5; syinr-^istric Ksy 
i-sridsr C's prsvats.- code Signjnjj Key :s:.c 

chine to ir>s snc;-usi 
tot s&cn ci,!StQfrssir sf dssited Th!& data iS trans- 
fSfredtoihs end-usst by asv/cons'ertisis'i; rnsans (for 
sxBtr^fift, internet of ss-efitte i;jK!t5d;;3isi). tisnce it is 
tfw unSock key ihat !'!ee?Js b« proiectixi. An opt sos^ 
is io itjsteiid s pfivats fe>y K', ssncs tirse teksf^ 
to ssnctyps ss pfob«foiy >>os SR is 



Cor({id«?ntia!i!v" li Xh<i(;i ts a ss:-;>«!iSi-;5 ;i^5Vf?iOi;:■•^:■ arid 
cieafjnghcus^j.: a pfotooo! is ussjci bsstween ths ce- 

&sch rr:fisss\5s whsch iS to Be pfotSGtsJd are sriCiypi- 
)i -ns; SiyiVsmaSiy:; k«sy :s kansisfrssd RSA-sncfypted 



Cs-XiiOCS io 

;5c?i party 



'i. go > ■it ^Oi- c J „ o< o = L > "Dy i^S!0(^ < 
mndom rvumfeer geoefstoi-. and ^^skino syje 
keys *tr8 oniy used ones). Tns sondsr tm. u-sss 8 
to mc^ipi ths dats D, snci Sbsn sncrypts th^it D£S 
ksy ijsing ths fsclplsnt's RSA putsJic ksy. Ti-^sn ths 
sender signs s iissts ot 8ii ibis infomiasi^r; to onet 
a«iheotic:at!Ofi af>d iofegrity. istrsd sends \he encfypt- 
ed (fets and snciypted DES k«y togsihor wWi tfjis 
sigrfaturs. Note tfsst ths tjeositwe cfeita D stO!«d 
sncfypt^d vyish th« DkS key. OnSy jhe recipi^sr:! 
shouid thsn hsvsthe RSAprjvs$s Key to decrypt Stie 
DSS encfyptfon key, and use is to decrypt the data 



A!i cofTimtiftissstions betw&sn A and C ats esXTyffted 
using DES sessson tceys< as discussed in she pfsvi- 



\n additiort. tb<i> iv''!'!'-"' 



.<5ys sei '.sp using a: 



ptiSisc key '-imUu 
c.-.!'.s& fcety^'ssr: -ne- dsvsslopef and the cis;3r!fj<5- 

axi;;-!8nged snitiaiiy and apptopn^sle autt-tenSitiSsjon 
csiTied out. Tb* sajns p!0!ix;o!s can be used as de- 
sofibsd sixm\ 



check peffofmcd Py the sscyrs ioadet 
isy chgck-ng ths signatufs using yv and 
w{~t6!har i! ss t;«m ss^s axpscssd so!ji-e<j, 

on i.he ptettb-T!-! and !h« tmsiad cos-fiponssn 



at 



4i 

ih < on ih<^ («<■ ocJ r(v» << >c\ <5 « ■« % sh « ^^'O'-iJ'- 
* 'V'^en f"'8 I) <^ he o > h<» ? > f< <;8 o 

5. \^ V fl ) f 

iptSi] Tiio ei-'iiiT DSs is of tensing vis cor>syfes 

|0162j Tfifs rsvoivss Kptisiing a isc«nc5J database en- 
try in t^lum tor fsgistfaiion anc3 paymsnt, Thef« ar&two 
msiTi ssptos osjng this approaefi. 

The fmt is Jhai the secar© «»ecm checks in 
is daUifcaso sgisiftst tho trusted jnoduis iD ?s)tty for 
sSf! uniock key for iJie cfeia The dsla is pro5«oteci via 
eficryptior^ or parUaS ^ncfypiion yssn^ gi key, snsi 
hsrcs CSJ1 b&frssly distdbu^sd withoiiJ tsar of pira- 
cy. 

Tns ssconci is tn&; stscuis s><6C!itor or soU- 
wgrs sxscutcr checks in a dafebsss isgsirsst the 
tri.Bis.-ci i-f^od!!!?- ![' Si-!try foi- p&f;v(issi0!is for rsj^s-ssslf; 



m 

"U l-ft, .^-i^Oit"^^ (piJfOir- !( 

<^x>«fo be fo f«3SO <i of Kfy f f 4ifr ct ^3 
Mun J fr>p!v Prtti-' k^n s +0 ^ 



<: u ( h n 

tf! piacs 8od s iav<>i.if so sokJ!*;*? • kss a psrtsc ulaf cor- 
pome>i. Secondly, ihjs msihod can as low r'-o^rv pef- 

m^cm, : vshici-j ^XtS^^pis: 8 dess mi .. 

V* IQiM} A iicsnsing erocsdurs vvhich couid be yssd at 
present woukt iss »o check fingsipi-intng intoriris^oii 
HS^iOSf 9 ifosriSin$j aai.sD:h?>ft '.■> •^si^'r\a! ii-savo ivas 
s vsS;dliCi5>ni5« co!-;s«paxiiti9 io ii-ist {ingerprir-i, Ths; ap- 
piication *«o«id aiiowed io iud or oos (S«pst!di«g vipof! 

M this irsfortr^iioo; ttosssveK l^^fe methssti is noi veaify J 

* The Resncs-chscKirvg code could at present @&si!y 
Psbypssssd: 

40: 

* Tfisrs an ovsrhsacS irsvoSved irt g&r^sfsting Ene ds- 
Isfoasss a«d ksspifig ihsm; apio dais. 

« it is !30&sib!6 10 spod ID to pin access to intofwa- 
tiOf! Vifhich is iiCiJrtssd to arsothsf macnins or ussf. 
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suasd or stof&d tocaffy wtjsn oesciod ■. or ^ cet'strai- 
iy-malrissjrssddirsclofi' SfSfS'icS; whsfs appropriate 
jfifom^stion mova access i& stofsd. iftdssd. a com- 
birtSi:iC!t ct Ihsss could foe lissd. Dimelojy stend- 
Sfds;, co{>•ifnor^ly knovvn as X.500: provide ths {our>- 
sfeSjons Icif s ro)ji!i-p:Jfp«;'3 (5tsEf)i>ii}e(3 dsmctoiy 

tongwsg iG sg!vic8 providofs. govsfncrjsfsts, arid pti- 
vats of^amsisSa^s. ft wouis^ fee sif<3!^t}fem'(3 to 
>T5odi{y such ditsctofsm so -Ksi far compufe? mi- 

chins §D cou^ rsturrs Irifofrriattof? ir?cludlrsg dstafSs 



csflsffcste. Tiiocode vViilnoSbc ;o.!-^^.-i :tihi5 :riU?0;:iy 
chscK jAiis, and ca?s ihs. ;c.'v.' o;s^ .■5:-0!f!-! 

Upoo rscisstraiioft oi thei trussed R-soduSs |0 as^d pay- 
nisftt. ihsi cfesfincjhc-is-s or dcvslopsr causss 
tJj-sksck kay o^ data K sx- snesriecJ iiito ihe da- 
i<}fo<33«i onJiy cofisssporsding to !he Srusisd mcsdub 
iD (ihis !n.:!y ;sc5y«!!y ^ss cauml ou! i;sy a third fuifiy 



a!fe^^f Of disaiSow Wmh sspsfopriss-is. A!te;T(afiV8!y 
sni ciafei siccfts^ k{;ys cotiid be; stolid in ih& dtfec- 

Ssitsr auihssviicatioj's aiiows a dsrscio^/ptosfie ap- 

sirong&f ?sum<5oi>c.aliC>n srsd hsips prt'vorjt ^oooiir'ig- 
(Arnom smshvorthy svischine or ussf idsntjty^msKss 
ihis metoi i!5S5. opoj-s to ^sb!.fs;^. for -jxsijriple by ao- 
fi!5h«! user's idirntity bimQ given.) K«ys cgfs aisofee 
stored rftote seo).4f ely. C^Jsorsii^iy^ softvifare aouid be 
atfcJsd lo ansyro Shat tse systsrtt rmsef s dslts tisap, 
ariiJ st<?r« this witsin Ihs Usmpsr-prooJ cisvice. if a 
smsri cardmre used, ihs clieck In ts.s proEife wosjid 
b§ agasfist the user ID: &rsg^e sign on msi^'te! mean 
ihat ths card ^4mki not have to fcss ssft vsthin the 
fesdsr anci iocatson is-sdspendence wouid aiso be 



10\B7} Wstn f€>fers«cs to the m> stairs options of !i- 
c6n&if?g usir-sg- Sh« fs-iSthod C §tver^ abo^vs, i&i us consider 
ifi* lirst cas5> ioitiallv^ CI: 



The s;;;nw;5f8 i>r csthftr d8!ii k; be p!tiiftc!-5d is an- 
C!Y;>t«!« ys:f!<3 s syiT^rrssific Ksy cosfsspofjding is K 
arid signsti under C's privsts oods signifsg ksy (8. 

q LJSii-ig ^,^^■r.fDS.O!^'S A^j^.-i^JiMiOOdfi) Snd S5!;V; by C to 

A's machfos ttts snd-us8f. K z^n potentiaiiy b$ 
dfSfsrmii iof m:h customer, it ds$(f sd. This data cat^ 
he ir^insfef r«d so ths end-user by any convenient 
mearsa {iot exampte. mi&rml or sstellits broadcast K 
sioce it is tns tiOiocH K«y \h&i m<i(in tobs proJ«ctsK;J. 

Offcs r«se(¥«>d by th«j^ ;jn£?:-ys«f ptslfetm afs ihteijrity 
chigcN Is performed by th« secure Sosdsf m th« data 
by checNing the si§mjiur<s us.ffsg th« ptibiic key cor- 
resporsdingi to G's pnvate ood^ signing i<ey. 



ssi^twatreorotner 
data is insMed the piatfernri and the tttisted 
ccfl-^onenl records this avent Otnsnsffse, an error 
message wi!i be generated and the.ifeta will not i>8 
tasdsdi; 

Wim tne \is&r vvtsiies to run tho data, the siecurs 



{Oi^} A s,'<5f satiors iS; to store tns iii-siOGK ksy wiihsn Jha 
Ifustsd fnodiile: once it has beso fsJrisvsd, along witi-i 
the data rtarns. so thai ihe datab&se it>okup procEKiiire 
need rsoi bc5 cafrsed oul agssri for »i)s p^!!ifc^•J!^H -^s-a 

Irysted modi;!?- !D. ch^sci*. ths ursScwK koy, «ss Shis to ds - *e 
Cfvpi ihQ af)d Xiifow she dsiia io run fi>-s She sarr^Ci 



■ pero 



ling a 



a am checked tor, Thsfs are iwo possibis 
dspssidifig i.ipoH wheEhs? tiis secure sxsc- 
jfic piece d cods ifiaE ss incorporaisci trito 
} corr!!fsy«iaat8S with the ops-sUing systsni 
ihe daJg sxec-jtion pfc<:8ss. or whsihsr a 



sod sniiii 



rsyric 



data !S sigrscci oy iiS'ncj a fiashscs vsfsior. the !-r>ss ■ 
sag<5 e'-qnaa by ths sendof's privats k$y apjssnd^d 
to Jhs messsge, so tiist ths fscsivgr can check Ihs 
trstegfiJy of Efts msssacje. SspliGltly, %h& devsiopcf 
nsssftss M, whicn ss; fts dsifa tc^slhef wfeh any as- 
socsiSTOd scttwars fj^ssauto!.. and stgfts it wiff-s his pri- 
vat£: Key (Sprk)topfodycs<3 S!gns$!jrel3jj,-^.(^3(^). 

The secyfis l<ssmr wiii !h«n c'nscf< she- signatiyas ys- 
!h<E dsv3!op«f*s pyfolic kfisy. «nci ihsrstor® f«- 
fr:«:V'5 fhs> ;fi:>s-sk5gs ■• ■aan This; aiii^ja: itss-s Shi^iE 



tnors; Ihs intsi^siiy ciiscking meciiarassr! shciiid 
'srsi fispEay-siiscks by Sics'ns s'Eandard mecha:- 
1 • sajcti as [jsinga noncfj. !i th-5 if^legrisy chsjffik 
ti'Hj siactira toadar ifts-Eaiis ths daJa This «n' 
m thai ■rsodrtiSddsEa ;s.p vvttHosrtAP! sJaiiSj eas^-- 



imO] TficoaE;5:;is;^i.noE:5;< 



101713 Conslcismg th« first g^mtlc sus-fr 
vesy simiiaf io that dssscribsd in the k&y chi 



)«nriiE>§ xhfi dausbas^ 1$ instated at tN; cleaf^rsg- 



Upon fs§is 

Ihs snd-sj ser. the cissringsioijss C3f dsvstopsr C ids- 
penoinq crt ih& p&yn->snt srsodsii) Is fotd the trustsd 
mcsdafs sD. : 

d&tfs!opef fit f^oE already passtjrft';. sinci vsce -tfei^a. 



C authorises Ehe ciEStafesise soetv corfcspo 
\h& tfu^tsd sT!Od!.!!e ED to tjs^ EiptiatE^d. acec 
(he di-i a .o>,;fC!i4:;5<sci. The pafiy s-unnii 
cofnmunicaiiss >viEh th« ctefenngiwyss oe <isvsiopef 
«s®g public Key Cfypiogmphy ssiSing yp shared 
symTOtsic xc-ya -*ftdi)yoa.--''a!-::,- ■■^c;'h!;;;r,n5ds,?^j' 
OS 'i'hd conEanis jf a;HCE^ if;.-55,<;ox,;.:? !!-;;3t isi ••> t:ii pro- 
tected am «f>cfyptiKi uainj; n Ear;doET)iy ganefJ5k;d 
OES key. aodtfatjsferfsd t^j^elhef wiihttje syfm)<jt- 
tis K^y which is F53A-afic)-vpt:<s5d using xho public K«jy 
of U5« jfisefided t«ci»fent. II checks for tUishonticiiy 
and inJsgriiy are ®dti&^, the following protocol re- 
:&alts for each fnsssap; 

The ssindas- Qensrats&a DSS -isv 'uaE:^;< h ^.-sndorn 
rsiisvibssf gefiaratof, and n^ai«!!Xj aur s Ehsse Keys sfs 
on!>' s.)sedonce> The s«;noijr E!-ie;^ u;;as lE io enc.;yps 
the dato; f), s«nd Eiien srsc; ypt thsE Di-i-s Kav ;hs 
r8Ctpier!t\=s f-^SA pub^-c ks.y T-^-^^ Ei:s; sajx.^sj s.i3;-;i- 
lalson to otf^^ SiaiiisnEicaEierf 
3si svisryErjinQ lotjsEtief wih 
! rs-cipianE shouki tfrsffr hav4^ 
aa;^•^pE Lr.s ssncfypiiori 



and :fit«t)rav. 



then-chseK that Ehon^sssjige oarrssffom-O, Ana«8t- 
^ ^ . c . ^ fc<f 0' pt tj fc <oy ;s t ' 
! : '-^'t: -sE^d <iytnef?t!C3tson fsws ir« fsjstod 



C: E: 10 diipiic^iEfO! ! oi" ctMSf daift wtiich is to ije 
;>,' ■^E"^,;a■•i eo t - . !«^! li, n she foiicwng ni«>in'5f The 



not tee aEEGw 
wiii ask ths ( 



:■■ and Siia d3.ta wOi 
fi i-ccu-e executor 



S4 



♦ Upon f&g!S.}*-ss1sori aftci/Of payms^t for ths cists, Jhs 
csesringhouss or dsvi^iopsr C i's«ccofdin<; io ins sx- 

cosrsspsystjinj} k:- thsi tsuaUiCS modyte iO so 'qq updst - 
sd {icoc-rdin^ -o she ciiJta purd^ased. (F'!!©; io th;? 
ptsbiso. ksy c:8rU?tcs5es Mwsn ihe«e t^xiies vsfiii 

woiiiiS iriCOfp<jrs:-«f!-jthsn:W,:(t!Dr-.S'0:r) C to thf= tritft?- 

i'siijms a mess^^gs v>>'?;:ch :tici:jd-sy :13 p!.J&;ic. key c<5f- 
Anasiaiogous. picl-xos vvotiio as-fc -;>■■ cjfciic 

CO)T5!ritJ!-!iC8kiS W;tr. ihi> CU;.3rii-!«fKH.!S«: O; dev-Jkipt's 

iBsng public Key iJryptogfSpby setsiog op ghsrsti 
syrrsmsiHc keys, and fty ssch ssgniog th^is rt^sssaig- 
8S 



ih« oiisnt solswgife ssxeci-uof is customised 
sycn Jhatths public key o? thiJ trusted moduis is in- 

sSi3f8d ksjf 1st sst up; bsjwaeo Ihe saoursiexseuJDf 
and the i!y{?5ecl medotej. BtAb dais m<} soft- 
vs^fs wsu-ijf arSi hasl^^sd af^d signed: wssfl She 
ei«arit)gtaise.<ci§veSOfJ§!'s pf ivaie Key; arfcJ the paSs- 
Ite k^y eotf«^ti(^irig to Ihis is stCMvsd on the tf usied 



T"hfii ssc^jm ic^dsr intsgrity discksthe data and Ihe 
sofJvears sxscutor: lipon fnstaiiatioH: ihs paciiags is 
vsfillSQ by sia&ning and compaf isors wflii {h& de- 
crypted sigftatuf 0 {using fh© pusFsc Key in IM ifustsd 
msJdais}, 



The data ssfjd sottwsrs ssscusor ats «ot losdsd if 
ihs dsgitai s-ignaStij-s (fegs m\ match vsSiat is mpm- 

8d: 

ssjids s !-r)^ss{}gg to ;he softwafu o^ec;.!;!}! cojfo- 
spofjdmg lo ihal dais Th« so'W^i^ ^tssciiiof tJistj 
fssuss 5-; chsiisngs/Vft^ponss: the- s«cucs i'xocu- 
lo- by fi^^ans oS s-s^-idinp s -andofr; ntiri^t^er fnoncs;. 



c-hiScKS io sfii« wsiemer ihs data ss ilcenssc! to 
fun on ti^ss trusted mcdLsie siiachfrss; ID in f?is 
pfoiiis s.iOfed v^/ithin the trusted fnodiila, or 

chocks to see wtssth^!- the data ss iioenseci to 
i-un aocofding to \hs uset ID ot a smatl card 
which has bsisri »B«ftsd in the ptetiie tsigred 
: withio ths j!-y8t?}d tmsdylo; :os' 



consults, or downitsiscfe p^wt oi it 
tabasts to fojft} a p!X5ii!« wiihin ths 



ed Pfiod- 

tiixsnsed. 



:-:U;iJ t:U: d',;"! C- - 



ocs »m (Ms. ■< 



;:ny -he srijstsd rfiociuiss p^:t; ■ 
-^v'i ih<? So thts OS to 

Q to tho OS 



pi 73) Ths foiisi h ojismpie is of using tho tsusted !^i- 
ule as u dotigte by iissgsiptinln-sg tbe trt,sSt«KS tr^odwit). 
pi?4] This diifsrs from cutrsnt fifsgerphnlirsg tosh- 
!iiq«cs it! ttms :fi wses a tmied idsrstity wijhio tbe i>5ird- 
{v^.. ths nof^ -secffst trusted pricduie kisntity), integ- 
rity chsoKfng oi ths appiiaatlon fobs run. integrity chsck- 
irig o? associated appiicatscn-snabiiriQ so^;wara and us- 
es secure audit withifi the hardwars Optlonaliy, S;r; un- 
lock key cart be ijerterstsd mhm ths sottv's^srs sxscutof 
on ths ciient f5-!acn:ne fatt^et than iemo^siv' The Xr-ji,i<i<i 
n-soduie wis: i>&ve tc cosit^sc ths vsjnciof In ofssr to obi&if! 
a key. thts proleci-rd oat.^. a.-xi Sh? fj^-i.ooisa-';*;; ^c-iiw^-'s 
exs3uiOf< which wjI! >3riabk5 -he dscsypl ion ksy to hs sjsn- 
efatC":5 iocaifv .j-; ; i ^ nx-x, >; !.? ; •^ cai-! 



lillsfsot k 



Ths: yniosis Ksy can bss gensratsd -wsthin the soft - 
wafe executor or secure executor or, the ciisnt tna- 
chifte rather th&n rernotssiy 

Tt-se {«-:5y tfanstened iroir; the ciearinghouse io the 
C"oni ra ci^tsx' f^ot the ijiiiccK Key Out a key tron 
vsihicM ti-iis can tvs ciofrveci usinti an aitjos-ahm tosisid 



m 



< X p ■> !> n <}js ?vi lb f (^r^S no- ^ -it 



{lie sfoces*, 

d vi f t !> < V. (, en t <j « f f 8 e 



Datsiearvbss byp^^usssd or al!5:ed. 4iPd so soiiivBro- 
t K ■i'i i^K^n i-> ^^ct c>tr shtj 'eo m ^fntjsro snc} 

io»^ o stoq c s^m or* vifhiv,*^ siis ^ ds\ 
bis Of f C j>!0 Sfks if! !i to ftnUfr n 



it i 3 U •> 

X3ted K 0 v«» «i iU i J 
ana «ssfr ifitofn^ate^ 

» r * )fi<n <.t)>u f ) <3! f 1*. b<ise<*! GO'S iq 

* "5 i i»> est} v>> ed J <j } 

* A« Of iiqstoSof-- % hsce f>ng""o "(^dti'^' 



Si 



p;f«3-s.!C!5<5ci withif^ S by C ot a ihna party IrLssJec 

* the decrypJioj-i key is itssd to dscrypl the cista s 
■snci aiiow St lo i aft. 



|0l?9j Ths ^ir.isi sxsmpte is ot Sww « con-ifciin^tscri ot 
muiitpte tmsied dsvtces cafs fos -j&stci 1o i-cerrcs dats s-s 
« ffexibfe man!ie!\ The cosribinatio?-! of af> !ntsft->a! 
chins tmst«5d ft-iOdiile Sftd a portable Ifusssd moduis 
sticfi m 8 mn-i^n csrcs considered., ^or ths psiiiicsjisr 
C8S($ \n which ib« hos-ctesking iic^fiising fjnx5<5S is usixJ, 



ciisfsringhcyss/cisvsi- 
uihsjnSfcstfon and C is 



Etngix^yto 



software §x>scuter fo tns usee by sfsy conmn- 

Tils ufjtesk ksy is tmnslsrrsd by srsy convsnisfst 
maaris tfofn C user. ThSs fesyiis not psf- 
•iou^^3r^/ ooofemiai. «rid can i)8 tr<jris?(Sfred by 



Ths user logs in lo a ifysisd piatsow-i cornpsjiSf 
and ms&m im srmrime^i inf shs irsadet; 

Whsn th'> user fries to tuft lin det».. he is 
; ptotrsprscJ to type in tt^e urilock i«ey, 

Ths soiftwafe <5ic®c«Sof Ct3k;y!st8s {he d^csyp- 
tion ^ssy serf8Sp(>ritiirig{o Ktrom til© «^ 
and ihsismart card ID, sjsirsg sn SfgefiShm pvsr 
stored within it by C of s ti^ird party tr usisd by C. 

Ins dscryptittft ksy is ij«sd to dscfypt s^s dsia 



sys, ssnd by Siad's 



es. Th- 



.g8!!"!ef wish tfjo syrysfn«ir;c issy wtiish is- RSA-sn- 

:mk acsGOfdiftg t'S ;a sSgodarci piotocQi. 

Tbectear ioghousa or dsvstopsr sands shsdasa, as- 
sociated wish {5 (cyslotr^isjsi} s<5tt(;¥Sie estecutor. to 
t{)e «iient. The scsfiwsre s!<ec«5»t (S owsS&rniSed 
sycf) \h&t ibfs pt.*j|ici ksy o! the srusted (OsKluis Irs- 

s^KiiecS ksy Is set up bsSw^srs Jhs stjc-urs esijcyto? 
arsd jhs 5f ustsd moduis). SoSh the data and ths soft- 
warn sxecytcr are iiashed and ssgned wiJh Jhs 
eisamghcuss/dsvetopsr'spriv-alskey.andthapub- 
Bc k5?y corfss-pondifiQ to this Is stofsd on tns ttsjsisd 
rf-ocf«i6. 



Hxi secure iosae- "'ilogr;-; 
sc1tv^sresxeou':of: up;v. 
vs!^f;ed &y hashin g i ^; ; 
c :'y ptftd signat 'Ji- s f siog t f i 



s sxpectsd. 



i■s<:^5i■:>^1 o! sny c! ' tfst. ' j ~ , 

loj rijri08>g)riyit(pi-i sppijcissoiisoo 
bs used. 



: airsAo'y bsss-* dossi, aod ihem is rnuts-jai authenti- 
cation bs5tv¥«sn ihe tfijiSssd rnociuis: snd ite srsjatt 



a? 



The tfml06 raoaal^ siOf-ss. Jhe (cuffgnn <;fnsi1 CtSso 

m. 

a chsaiierfgs/rsspOEtss to the sscors oxeciiiof. by 
STssKtts o5 s<5r«j!r>55 a randorft oufTitiijr (nwcsij li> 
9e*h8! wiih a t($is(cncs io the dsta. 

The ,icc ,■ 0 i >.<x j-o! (rs-ikiss^ an stppfopr«t<5 licsfss- 
ing cfi'X c -i <at-! usms s-'^f? card iD, or 
aissj {5Y obJ^iif's^js-.j sofTis ir^isxrrtsfiOf^ m the 
smsy; card Foj exsmpls, using Ihs iscensitig f?Ksdci 



•! . c^sfci which 



- -liocitite which ss rssteit to irsJosrs.:;! 

t'inipefsnti and which stor ss. a ti^ifc! psif1y"& pub- 

•visstns stioving Jfcsfic^-feiated code cofrsprists-jg 
at isast G!-s8 <5?; 

a sec!.ir« 8XsciJtorforchi5<:i<i!^$i whethgriha 
pS«iics)fn Of a !.iS!jf therciof ss !(C8j>ssd to usa 
pjjfticwfeir date and for jitoviding jsji intaf- 

;=i -sssjufe toads:-!' k.-f cn£.ci<:!ig whs:ihar ti-a 
BUi^'otff- or !.!se! ihtrre-J :s iscofj'sod te ^sv 
staii panicatef date sn^/Qf for chscKin^s for 
iSaSa intsggfity bsfejrs snstslSationj and 

?ri8ar!S •stc- iO^ h«ish«d version of ihs !jcsnc«- 
rsiated e-c>cJs signed wHn ths !hird party's priyats 



•ha tf ijstsd mcxJute. or 



S? t!^ef& is ric vai'd the secure sxecutor 
tLjtmat-! srro!- fi-s&s^ssgs ston-) w1-i!ch th-^ software m- 
$c;yio! cs": iSott-sfV'-sf: she •■sXflCttypo of of':^>lamis?sSf-t 
!Keas!:";5 -sixi fXiiiSv the OS sipp(op!;«k^Sy if th-»fi> is 
a vaisd itesoce. »sb sscura eicacusot rafuf^is a tms~ 
sage iticorpofgtin^ the TOca data fefaf^nca. 
ssgnecS <yi<5 ettcsyptarf ^i^tnji iha Srust^ rficdaie's 
pm-sfekavv 

The softsssf a executor ve? tfiss if fee secure «xesij^ 
tor's fsp)y" i& coftecf sjsiftg She tfustsd moduls'* pub- 
iic arjiS e-thar passes ths cssl to the OS fo axe- 
cuts the dats oi sands s^rs ermr (ifssssage to the OS 



pfsssfis irsvsntion. 



A cofTsputsr piasfonn as ciaimsd in cisiim i , v^iSfalrs 
iiis >r(5egr«jy checking ts Dsrfoffi^ed 3y 

reacsing snd ha*!-iing th^ ticofica-f&istetJ ctxia 
to: piraduea a tirst hash ; 

readifig af^ SeciyfJllng the var&issi as- 
in^ fha pu^m i<ay t^aftiiscsie 50 prodyee a aac- 
orsdtesh; m<i 

eof^parifig the: firsf: and sssosd hashes; 

A eo^^^^j^ef psatfofm as ciaimsd m cimr, f cf 2, 
t(^f ' t"2 ik f^sc^ V ^^'-ri coo<^ c^isc : c i Jt=is ss 
c < «: - J" -\ <.t^. I- V f e'^'.C""^c< a .c s \-c koy to 
ij^ {' t „!c;rr«o oi3'w«cr: ir-o rysisc! fnodijie Sixi a 
!jt>^ii<' t-iiS-ted f^X'd!.!ia of anotiisj coi-nputs^r pia!- 
!oa-ft. 

A esffftpates pissttosni ss ciaims-d (n any piscfjdiijg 
Gi?:iim- VitsSs'ssn iha iscanca-fsiatad cede sslso in- 



5 . A wtpiites piMto-w h3V!fi 



sofswate esscatoi- wS^iei's spscitiss the rasp8ctft'>3 
qtOi . o* dsts sf^d mloh * cipetatiiij to issrt as; m 
rtt V"!:< to that gro-^p of mist. 



EP1 07S279At 



$. A cofTsputer ptaJlorsn as cigsifrsed in any pfecscsing 
ciain-!; X'^hstfels'! Jhs m<5ar!s scoring tsie: iscsncet-rsiiil- 

sror! of the iicsrtcs-feiatsd cods srs pfoVided. lit 
teast irt pj^rt. toy she triistsd n-scduis 

7, A corripiilet pMotm «s clsirOixS sr; any PKiCixiiog 

systsrn of f j-uj psnfortrs have « dedicaied ca-rifnw)}- 

o5h«f ptsns of Mm cofnpo?e? pSattofm 



$t4« request So ch<5CK includes the sos'twe- Bmcntor 
fof thft pstftsGUiaf dat«. 

12. A computet psattoiTf^ <3& ciatn-sed h otetf?-! S wnsn ds- 
psrsCJSi-s! on cfstm ot any oi" ciasn^is; ? to 11 whett 

the 3ofiw;s!« if>;(.x:iAor (of a! least c-f^« oi thss 



secure !0';dfc: 



^ V ^ pOEfosrnsSjehachockaftdES- 
iipc.n;; So iht; oDSi'-siiiftg %\sfe»rj wjth the c$sul! 

irK: i,y jsen-: opersi^fe to instsii or not to mM 
she parJicuUif daSis 

A c.O!V!p!.ii$f pi^iitofm s& dasmisid irs ciasmS, whsreio 
m« operatifi^g sysiefr; is progs-amsrisd to srsstaSl the 
partoisr dais oftJy in response ths secure m6~ 



10, A sompiJt«f islafem as elafmsti b-> eiairfii S est 



if! dspsndencs.- ypor; tnt* rsssponse, sht- opsfsJ- 
irts syste-m is opsyafete to 'r,mn or r,ot to m&M\ 



13. Aco;np;.:S>;!pisS;.>r;^->. 
irsShftopefs^ingsysss; 
psriifisjiiti!' ciasa anSy ;r 



14. A coniptiiftf piatiofsrs as cii-isr^^d in cisiif!-: ■£ o? 13 
K\^m (Jependsnt m csaim 7', whersifi the fssp<s.fjs$ 
from ttsarusted mitxitJte to th® operatifsg system is 
Svipplfod via she dsdscatesS cemrr^ymcatjons path. 

1§, A comjSiJter pMofm as ciaitr>ed in spy of cigim 8 
to 14, vstxifsio. jj tha cfJ«cK succetscte, iiie trusfeC 
tl^cs(i«t«5 is t>parabto to gar>ssst& a icsg f«t aydhing 



the trusted modure stores a ppbfio key csftift- 
estestor a parly ass^scisted ths paftfette 
s^ta 1s> bstnstafted;; 

the cpsrating sysism & opsrabis to fnoiiSdS; ir^ 
Ihs rsqusss so c?i3;ci<, ths pasticyisr dais togsth- 
s; with a !^.ash§d vgrsfos"! thsrsd si§nsd vsfiU^ a 
pfivase key ot tt^$ assocsstsd party; 
in pssiorf?iisrt8 the o^sck: ths mmr^ losdsr is 

\Q hash particij 



afticulsf diJta is-ioisjci-sd in !t-se 
■;qi,"-5$.i i<; pf-xiucs! ihiEd tv.«;h. 
ci<^', v^'! ?>gr:ed trashed veiSion in the 

-^s; iiiS public Key csnitiQm tof so 
■:c ;:;.i.-x.:;ii.;:d party to produce ss fouslh 
lash: and 

5 <sc:-;cr.':.t' ss-so r«spof?ss ifx dspendsnoo 
pon wfissh-C! or not li-i* tt'^ird srsd tovm 



16, A comptiter pjat^ortri as. ciaifngd so any of ciasms S 
to IS: whsrein, i1 the cnsck succ-seds, the sscurs 
teader is operabis to pedorm a virus check on ttis 
partfcsilar data: 

17, A oomputer pi8?lofJT? as ciaimsd sn siny o< ciaiiTs S 
to 16. vviieresrt, mon in^So^lssion, i^-is^ s>d;SiCii;s; dat-s 
is instaiisd irao the fr:e:5ui>s 

1& A cO!T{puief p!3tS0!-f>i a-i cisirosd >n snv oi ciaisrs 
is; 15: 



:'i«r;t;-x;o!;; daocWy or if-dsfecify on cisitn-; J 



at 



EP1 07S279At 



5 sxscuiot {Of ^5 te^sf tins of $hs 
sottwsrs executors) cos-slsins a pubi* key ol \Us 

tte qjesaiing system !S q)i3E;it5iij Us Kiqysst tfjaS 
software sxisxUot -hs! .'espsjciivs <sjt« b« 

■A f<5spons« to such « issQusst fhsi sofSwjirs sx - 



upon « stiOCSSSiUi iicsncs-checK, So >'«s- 
qusst ins opsr;stB-;9 sysSsm $o t;se teS ds- 



Zi. A cgmpyisr ptetfert?'! as cialmjid )j> -my prscedirsg 
the 8«ci!fiJ isxscujof cof*.m>s ai l«!«st one li- 
^scurs oxecwtof Itet pariscuiar data be us&d; 



c=:f";is a D^^v-sae ksy of tn^ trussed modufe. 
•he S!C;:i«;d rjsujS 

in fsspanss to sueh s T^pofise; that setem*ft 
gxecjitor is qxsssbSe; 

:{».5f3ec;k the ImegrSy of ths sigsisd TssylS 
lising ths public ksy ot fee: 'srustsd mscisfe; 

• ^5.< o^sfiiiinisgrity check Ola suc- 

os.;?:at!i^3 5yster'<i $o uss tnst dsSs 

:^0. A COTipussf pSai^orft^ 8s ckx-A^^'J !f5 claim 5, ot any 
fi>{ ciastt^s § to 1 9 when {SiaxUiy of irxjirsoSy <tep${id- 

tt® soitware gK(jsvnof {of as Isasi ens -oi fe<ss 
tfijslsd modutesafid a licmslRg madal forlha 



to use sHe \) ..Mi - <,\r' v n 'j'^v.^^-^so 'o 
secure 8)f<:0(jlOi- o-' Siia sonvvar<! sx'SCiJio; 

23. A computer pSatform as c!afm$ci in clairr* 6 mhm dsj- 
pendssi! on cteim 6, or any of cfeims ? So 2& Vi^sn 



the opsfsting system & opsrabis {o feqysst the 
s^ufs «xsoijtor mat particular data a§ used; 
In rsspon^S! to s^ch v=5 ?eqt!sst. the sscuf$ s-x- 
$cuto «. o\ -if 'o fo- s-i ic (sspsctsve 
sc>awaf$ SK-sc^no- ■! f •>« isgjiso' using a p«- 
vaJiJ ksy of ih:? iiUS ^J n^xJ!Jic^, lor & ^ifisns^^sg 
iTvosSfrl tor thi p«'ik':j!,:i! <i3ta, 
in rsspoiUift tosijcn latser fsqussst. tsi&S aottviiare 
m.mutot is c«>arsfoie:: 



tho s«cwe «xsc«!oi cwtains 



5t one II 



tha soUssmm ajsiscutor t^r a! least «3fi« oi i^^ss 
soSswsfs &xacu5o(35 ^ opesibl-s io raqusss !h8 
trusted mcxJuie ife rsspsctiv® data be ussci; 
in response to such a fsquesL secure ex- 
«ciitof Witliln Ihs trussed module ss operable, 

to perfonvs a iics^ncs-chscK jjsing Ehe, or 
one of the, ilcensing n-todsss; «nd 
upon a sucossstui iicsnofi-checsc, to re- 
0 use ti-iat da- 



te- r •><N'"ic & y of rs^.j^-s? i j 
ttis ijulsiio Key ot the trusted modulo, ^r-sd 
itpor^ a successful integrhy check, to ssncf 
'she llcer'Sis-ig modsi to ins secure s-xscutor , 
asd 

upon reesipt o{ th€^ Itcertsing friodsl, 5na sseciiis 
executor is operable 



ttWiOpe'-atsroiysis 
Sf>« dcd,rat5,-o ccn? 



26- A coj'nputer piatksrfn 



30 



io -.vi :rre" ; ■■■ iroJyte is op«fabfe to Jog 
Xo28: s 

s«i modtjfe; and 




Tcjtni she itcsr}cs<-h!3GK wilh rgfs:<!"$ncs5 50 ihe us- f * 

\if%i Uiisxm fnociyis to the sscofid i? ussscJ mod- 
aS« u«ifig: she s^ymGrnimafiiGatian; sn^S 
sSsistlng th© iicsncs Of {he key {hsmfor ttcm Jhs 
first tostsd meduis. 



at 
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(54) Operation of trusted siate in corrspuUng piatform 

A fifst Risftexy mtsif^s, |ti0 srosW rfiWisofifHi cofT^po- 
<->«n! bm)m .y iseif conSasrfed iwics^otTOU^ dam ptocess- 

processing r-siins. a^id a main •■netnofv afO.:i. along with 
<? pliifaiiiy ol asisociatsd physsicssl aid iogicai fesosifces 
si-id^ isss f>er^haal devices Muaing printsfs. modsft-!*, 
sppiicate prtsgmmSi apstssifrt sjfstems and ihe iiks. 
T!-;* ca-fipus&f jiSaSferf) capsbie ol «5n5&f sng a pS«fai% 
of rtififti^mi stsJss of a)«i5ii!sxi, eacn §iatO of Cfioiaiien 
having s cSitferenl tevef oS secynty and Sfiisfvyorsninsss 
Ssiecied ones o; !h« ^iatss coi-Rsnss Irustsd states in 
>vn!Ch a ijser can enis.-r aan&'iivs considentfi-J -nton-nasior* 
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m 

m 
m 

m 



eti ?;--<,i-5 sn-^-s'id sn a f-spsoduc-bte and 



Fig. 7 



iWOi} The pfsseni ir-iversiio-i rsfatss to fhs ti&id of 
corrsputsrS: and parsicuiarsy; although not gxciysiveiy. to 
3 oornpoiing mihy which caf; pfeiCScS iOk* a trusUKi 
s}«?», sfjii a iTTieii-uxi of opsraSinjj cornpiJtiog w% 
•o i?ci"!isvo the scostea s{ai». afid opsration of coft> 
puling ofisity wNjn io tfje trtistsJsS suste, 

Batr-kgroond ! p the- in varititjii 

ci^snos ffiis snjo two cats^oriss, ;n&se b;5" =g aoj^^ssiic or 

!. - J ^ ttKi V f J. C'J fi 1 ^ 

& ptemof a 0? avaiiafels pf opnstsf y soo^pytsr piaUorm so- 
iulfons avaiia^jis aifl^«d al organaalsons making itom 
smai! businassss $o fnulii-nsJioosf organt^ations in 
;r;c5ns,' o? Sis&s ^spsifeations. a s«fvsf pfetfoftfs provides 

lof a pi^JiJsiiiy o! ci(5sit ststion*. Fet t'ussf^&ss use, ote 
kay ixiistia are sefebilisy, mtworkmg features, and es- 
cjjfHy i««iyr«§. Fot such piailof!T(«t. Microscsfl Wm~ 
<5csvvs NT 4.0'^'*' opsfij^lrtg sysisfn sscoritnon, 8S wsil as 
jheiifRixT^'icipsraJirig system, 
|0004] With the socfs&ss in ccsrsmsrciai actMty trans- 
sctsd ovs-r ths imemsu kmm ss "s-cosrsmercs*, Ihsm 
has- fessf! n-suc-h <ntsrs%l in tne pnof art sn enabiing dm 
uansadions i^stwssin cos npiitin^ pL^tfomu over the \n- 
tfffns- Mcxvsvfff becKiuss oi' ths posemisi for frayti and 
;-nsf-;pu!3;.i0i^ OS fl.^ciron^c d^nia. in s-sjoh {ifoposais, htl^ 

fisnd efiioo:-:- nvifKs..; p^jcs; h<iv«; s.a tar {jess-s hsid sack 
1 h.{? kinsaififjvsia! s&sjsio iS ofis of ipjst bsttsesn int&fact 
cosripuissf pSatorns iar th& msiktng of ssjcn ttsrisat;- 

(000.5] "ii^f" . ^ ' V <■ ' Sv'^cmco 

I. ^ 1 So pd 'Uv! ^vo; 

si. ihat :& ',0 say \be ssc-urity ieis^ufes !',r>i inhsrsntiy 
nsiV'? 3::!5:a£!v sppt-arod on tnt- rnark-T; which hc\XKie a 



sn^att c.3-d xshsch cor^tarss d^ua spocsstr 5oa user xvhch 
i& input !ft-o a srrsart card mstdsr on ihs compiuOf Pres- 
ssntiy S!jd> smad cards ars aS the isvel bssng add-on 
a>sifas toconvsntiOiial psfsonaJcosnpijters, snd sn scs-n« 

s cases a:-^ («lsc^ra'«.>d inics s cassng o{ a k.no«n con^putsr. 
AitnoLiOh thojjo pisor std sohej-n^s. go so'tss way to sri- 
psXtvin^j \hG s«;;;uf!iy <.<; cc^ripijtet pfejiofws. !h8 iev^is o! 
s(jj;«B}v find iasMwortfjiness gained by pnor ad 
sdmnsjj sTsay hvs co«i5id»r^d irs^ijlfit-isr!; io ijnsbiis wid«- 
spread stpplitJation oi auSofnaiiJ^^ tfafssadiivss bsmssn 
ccK^puie? platforms. Pot i)«sin«s3i5s to osposs signtfi- 
cans vaiiio ttsrisaciior-s io 8!«c;Srcsn!C cGjrsmerca on a 
V y ^"^t V X! =;va>c mi>v faiu-rc w^sdsi^c^ -f^ S"ic {ri«t 
v^>o-;r-t-!4 i'5 ondsdysfsg lechnoiogy 

f'S [OOOSl F'iiOJ ari cctrspviiing piatioifji? h^jvs ss^sfal 
pfobfems which slartd m the way ot incrsisssing thsif in- 
herent sscufiiy; 

* . . . ii .i. <:r!-rjp!.!ior -sysitJtn jf piai- 

fes piaJlonT: sir,d daia on pfe-iCini :s coriau-ntiy 
changing and ths computer piasiorm jtssif snay b® 
dyf?smjeal!y charsgifjg, : 

* Fjsma sscuriiy pmXM v1*ssw, esimn^sreiai computer 
pia^fosms, is is&d!C:til8f clisnt :piaifom^s; are oiim 

V* dsployed m envifonmsnis which af$ vulnsraisia to 
ungyfftodxesi frsmgieato. Ths maih arsas: of v:ui^ 
: nersdiSiy sRducio mes^fetton by sot^vsafs: iosdsc- 
by s user, or vfe a network o^nnecJioti Paftioisiady. 
but not extiusiveiy, ^OJW^niionaf coff^pyisr ptet- 

ss fortr^s may bo vuln^fable to stfsok by vlros pro- 
gisam. wish ^^srying s^sgrssss of hostiiSy^ 

* Cm^iiim piatf osms rmy be apgi^dsd or : Jbsir car 
parities may axsiesd&d or rsstdctsd by physieai 

^0 modificatiof?. i.e. addifcon or deletion of compoosms 
suehashard disk: drives, perphstaj dflvsfS: and ff-is 
dike. 

I0m\ fiBKK ^ . — . . , Jf-^', \' 

*^ pii-as {<vst*mi ■ id \' co<' ; \, ^^. s- 

vf&fs- Thsso sefiijf i'y JeaUires ate piifaaniy ain?sd ml 
Ofovsdinxf divssson tniosrnatton wijhin a co'v^mijiTity of 
ysara of fc sysssrn In ths tes^w:! MtsresGif WindoiAJs 

\~''^^-} vJ ^0>N ^t(i<'<^V "is < i,--! ' 

Si" ciiisy caite-d a ''syslcm log evs.>f!i vu-wor" ^n which ? 509 

tsrf? softwsifs. Tfiis Ssciiity gcss sorris way to snapping a 
ss. systsn^ ad5-n-;iisrr;SiOf io sesunty moiislor Dra-sasectsd 

\QmBl into ,r->c' .j^T rfi « un , 



3 



4 



Mdck f?: <jxa!>:p:c- ;jy virusgs o? which \Uem ars {hoy- 
sstiids ot d;t?8s's!f)« vsristies. Ssvsfa! propdstsry virus 
tirsdlng andswrsctin^ sippiicstionssrs toov«-S; ?or sx-Sim- 
p)s Shs Df Soloa-mns vif us toolkst progfsrn Trss i^icro- 
soil Wirsdows NT»» 4.0 scttwsi'S inciudcs a vo'iiS guisrd 
soS^wJste, whsch (6 presei So look fof Knowrt vitysHSS How - 
sver, \,'i!us sttaij-ss ase tievijk»>3n8 co?-!Sit)«oysiy. ars(3 the 
virus sofiwaf© wiil r*oi gi^"? reiiafofe pfoiscJion 

bisin^ d«vebped snti rslssissci irt-o Iho c.orf!p!.it!r.s ao« 

^ i ^ M ^ ! 0 • 5 t 5 h (S si 

fOfJOSj " ! - ^ ^ .(( rj^y^terr^^orcom- 



sssd pfs-d--ji«fr!>ii-i(5d staJs is. mcr?!torsci by motiitor- 

|S0i6} A 8SOS file i^^Siy be provided w*i(Jiir! the f(\om- 
s 'Orirsg coiYipornani stesi? By pscviciisig tiie 8!OS iiie wsthis^ 
m§ (wnitOirirtg cornpon&fis, tns BiDS fiis rnsy i5e inhsr- 
sotiy Srustsd. 

(8017) \n sn aUertjatiVfj ernbodfrnoof. ssid ccxfpyle! 
platform may cwspsis^s an intortuiHitrnwaf^ coripotjef-i 
*e c.on?ig«f ?c} to cofnputs g digssi tigUi o! a 8!OS iifs daJa 
stored irs a ptiJdstermift^ rnsfrsosv ssJiics occupied by 
a BiOS Ij!i5 !>f SiikI cosrsfVijt^r pSssiictsr. 

vs''^t>o"s5'"?'t? WC'V "i?>lfrT>'^*bxi ! ^ 

^^ocss&:n§ iTiesins sntJ s second i-nsrnosy tY^sans. into 
a'( op'jrauonai i.-iate o'' p!u;r.«:i;y oi prc^csnJigofscjop- 



|-!«vg 9 hs'jh dfsgiss o; coniid^ncs ihsi ihe cotripusing 

and is opsiS'Jng m a prediciaiJio sif^a know;-! mai^asf..- 
lOQli] Ansiher (ioi&c; c-" Ei-;?-! srs5;&::; ■■iv«}fv;ior( Is to 
simpiify a sa?k ot judging wheiiiof a if !;$.tvvof!hinsss »f a 
complain^ eniiiy is stiiiiciej'js (OporEofm paflicuisf Jasi« 
or ssl fasl^s Of iyps ot sask, 
ICKJISJ in spsoi'ic impiefTxsoUiiiorjs oi -he pmseo? i«- 
vsfiikio 3 cofppyitr-ig ijf'tiiy )s oafJaOis o? rsssditjg m a 
piy?gii5y oi disSiffpj oporaSirig states. Each opetatin^ 
stetfj cars i?® dlstioguis^iSd ffortj oti^ar op&tatirtg $?«tss 
y^Sffg a set of inifi^jsty rtwtiics dass^fjed to distinguish 
between these opamlsng statsS: : 
|0013] According to fast aspect of Shs present inven- 
Lion Shsrs is provided a cojrsptiisng srjtsty corrsprising' 

a cosripuier pisitotni coft-ipri&ing 8 piursiity ot phys- 
!c<s' and 'oo^cai resoufoss tncfydinga first dsts proc- 
0S40;- arid -s :!!s«t i'n&r^ioty n^sarss: 

a rr:0:i!;0fl;-:ci compo: iijn! cO!r!pr:s-if>g a ssiiortd data 
procssscx and a mcorxi m&imfyrmnm: 




so; oi l!Vi!!a;:iiOf: > iof con'igiitaitOB of ssid piia^siiiy oi 
into sa-d pre-distorrnsriftd statS. 



state according to h s-iou^.s instrtitiions; and 

V* wharsin ssid imoniiofing con-jporisni rnoniSofS ac- 
tivation ij-ito said saiectsd s^le by recosxjirtg data de- 
scfteg which o! s&id pteiity of pro-<:o!>tissjred states 
said:Ge>mpyf§rp!8tfi>fm ieaelivst^o )Hlo< 
pcjiai $5sid fnonsoring eoshpor^ent rrtay oootlnui? to 

M rfBsistof said sei8<sad i^ataaftsf .aaid oomputer piattorfji 
has fefsan activatad te Ss^ld sslaetad sjats: 
POSO] ©aid monitsnng compment msi^ ^mrst^ & 
sMs signal in fssponse to a signai inpui dsr ectiy to s&ici 
rrionitofing sotnponerst by & ussr of said oomputsng sn- 

^0 titV: said stais ssgn&i cor^tainingj data dsscrifeing whscii 
said stats &a--0 ccrr-p'SiSi pidtiorr-* has, efttorcci 
lOOSIJ ir* or^e errstjociirrsent.. s&id 5eS oi stored instfuc- 

•'tO'^S -^f>v «^e<'^ vrtO ■.^ -I f t. <. 

*^ n«m Os-sce s-«?i«CtiO!-! oi sisid i^t-^i-s f^.is. -^li^d-? ao- 




i'i' O: p:«,--o<;tUigyiod saals-s mxl s.atd .-jic-p oi cj-.i:r:;?;aUn9 a 
s,tats;- s,«}!-!ai oosoiXisefc ijsMftJtatHSij a ^^tij sigfSix! -n 
s.fx>ns& to .-5 ijse-f input accspica tnixjugh said ussf in- 
teriaco. 



3 



LP 1 m m At 



■) -J r " <^ U s ^ a*" -5*5 

<-(K iJ <i >\, s (5 ^O'' 

inm: 

r t3 Si^*? % c '• or ptf pi<a{f t"" 



6? I (. tq It ( i h«; ! u <. 1 

»j f^-^SiVfed * J t c< 0 V t\ Oft i f <. c J 

Dsjrtisis; ana 

■cptpiririg said fe;5t s«; q! msisic data sigpiciis ob- 
i«i m 1 n ? 



^1 i -S^ 0? 1, It « > "if 



J s n ro--) J? icx.<f i ? o «<J d r Mr? toi^ nr rim 
i« Soe * oci- fptf>v3 fey « 3 OS s s i^t i-'^'^ 
f>t. f^f m io''r;5 an xsu^s of ci -^£s-rt<^ 

i ^ J f 3 5 t <. ^«<^ J -J 



<i*<v<}ti 3<>3ifcJiL ri{«U* piti*< 0 ' >«i ! Jf^i ! 

«>^vi S« ovi« p <\,-^ iiS csS! 'tp r-i n J t <i 

{cm aT*!3«>-dM m '^o at i,r)t^< 

f mnfi I for *,o i<^utr o ? Jroiif- ny 

iroJrf f ^'i !<j t- vf Ct --iCS ftC>^S^O! -^v-r 

fi'^ fcVfcft ".iJ^ <s t^fcf 'edit fiiSv 



8*^-" nqre '^t'^ond nv,r-n.i t ^mt ». 

^ urn jt'h si <c >-»('i JVtkf h xvittun 



o! f-icj. 1: 

( est <3W f JU^ k tr :k -^tj* s} 

i > ■(« \ O ' \ 10 t < ( « t J 

» f f < f 5t < t-i o 'of< r J s p ' 



^ try Ha6 ax i Uo s*^tf 



^n.>^^U<^ t ioni< 4 f isd out b\ -a i. 



'le^'^jo'^ n its « ^ e Th> l>^«, norulo- 



Sienc and 



ot th& Of rvjsftvjs 



C t S v»f?* 1 



vso ""h Of t 



m 



msisr,-i ard a mender'/ rsisans,. sind which is pnysicai^y 
as-sociatsd mib a componsftl known Mmri d'i^r as a 
"jrusled coniponsnf which n^cjnstors opsration o? \hs 
corr^ptitsr piatfciTfi ijy coiSscElns jYjsirics date from $he 
computer plasfofm. ar>a vxhien re c<*pabfe of ysfifyli-igto 

\Q( pteiSixm lo the cof f-3c! fiJ!x.iior!in$s <::■? cOirtpuStJf 
pMissmi. 

f003?3 Two OTnpyisog sniiUss ssch pwisionsd wssh 
such 3 itxi^^S cofPpo-isrit may tm«fsd wSh S4ish (Ahm 
w)Jh a high dsgfes of "rust', 7>)a{ is to s«?v; whsrs the 

olhor She seoufiiy ot ths tnteracUon is enhance com- 
pefscs io ihs C3S8 where no Sftsstsd cofrspcnertt ss 
presgfit, bscsuss: 

* A jS45'vJ*aco"Vt-t ' 

i« ihs iniegrHy sncs sscy f ity of h!S.'>:Sf owft e-ofppuSef 
&>iiily an6 -.r, 5h6 J!>{egtity s^t'sss sscyriSy ot shg cam- 
puter sj>tf?y teefeogirtg te tte othsr cO!T!pusift^ 

» f:s?;h srstity s sooficisni that Sia oJhsr entSy is if) tact 
Jh« which 5 pitfports tit b& 



smisies irtssraciifjg wssh ths s?-smy hsvQ a hi^h d«- 
gres cs50fid««c© thsi the mUy does sr, fact rep- 
fsssnt 3!.ich a pafly. 

♦ The !r!JsU5d c«f?-;j;o;-:!5ni :!-iC:$:<-)45r:s ih«; irir-jt-jr-- $;t5- 

iTsonstorliig piocsss&s (Cfspietr^cs'st^ iay she tfusied 

« Ths cofr?p«t«r emity 'm mors iik^iy to bQhm& in the 
way St is 8)«p8£Sigd:to behave .: 

hi speciJic&tion, it^e iemn "trisstsd" v>iher4 
jssd -.0 f^Lstton 5o a phys^lcal ot iogieal component: is 
ussa to pu*;-!!-! a physical or iogical coniponeni vsfhich al- 
ways Def-svfi-s -.n m sxpsctsd msnnsr. The feshaviorc? 
jns; ;-o;-f^pons.-ij i5; pr^ictiysr&artd fo^owrs. Tmst«<jcom- 
pojiSiiiS i-sva '.;! hic3h degrss of -^ssistsncs to imatJ^tiCf- 



msiin davs pfocpsssn-j md siorscss faciSsJy of a con^pate: 

|Q040j Refstsing to Ftg. 1 hsrssi. Ihssrs is iiisjstfatec! 

scheftTatically ons sxsmpis of s coi-npiitsif entity accorsS- 
s in55 to 8 specific impiss-nsnsation ot Ihss ps-esssit sivsntson. 

Rett'f f tntj so i- jg, 2 oUhs actw ipsifiyinsj dfsvsings, Ihsrs 

!S< ;!!U£;sr;3t«(3 schemasicaay physiaiicwirssciivi-y o? soiT-s^ 
ihG co!T>pot)eo!s o! ths isysiecJ swiputsr sniisy of Fig, 

1 . Rgfprf sfig So Fig. 3 ht'rpis'!. thstsj is illusUisSsd sche- 
me matoiiy ar^ afci^i5e<;Siif§ o? shs trysipd cofnpyt«f erti-y 
Fi^s. t and 2, showing phys'-cstl ccs'is-sssctiviiy o! c.ojvi- 

p<5»-«inii5 C'i thft s^nsi-y. 

C0C41j in -i!; s p \.>! u ^ 




second peci-sso; a;-:ci a ss;Cond 'Xie-y-oty mt^ans., 
-i> sfh ■ V j, . . . >- xii <^ \ osUk; ■ r'fs t^o > si 

i\-iK!>! -X< "-X Xt XfX .'^ 

,0(}A2j It K ,0 X m 

, - . . - . v<»'i! '>s- . .,i<v - h\> ' - S\ 

invef5!!C>f. simi o'h-^f ffnt'Ociim^is-iis oi invoniksi'^ 
may 5aksths fofmo'i a paimtop computer. & iap;op com • 
pyssf, 8 s^tvQf'iym cosTJpyiSf. & mohiie pnor'ts-type 

v's> computer or the iiks &m she invsntiof! is or^iy i>y 
ijcopc ot ihs oisstn-ss nsfssi tsis bss.; iTiD.3s sxat-n- 
piij jies;<;t!pe<i nefijiri. sh<5 coi^ipsjipr efiiiiy coirsprissss a 
cs-pi-sv «:'>f;i;Ot 100 a kaybo&sd tiaSa {-rsSfy >fje«r-:s '0' 
a casing tOS eotr^pfising s frfoShastjoerd on whicf) is 

ss rtmmt^di a cfe^t^s psx^es^sot; ona of tnore data s50fags 
msJSfis a,9. iiartt dish drivsa; a tS/pafnic fisrstSofn scc«s3 
svismory; various sfipai and output posts (not iihjsiraied 
in ); a smart card rsadar 10S tor acceptlrig a user's 
smart card: a confirmatfors Key 104, which a user can 

^0 acsivsie vsii-isn cortfifmin!^ a trarfsaciion vsa {he tKi&ted 

tfackt-a;i do^ cs ; Oi' aod 9 tmstsd coTooritsnt 
[OCvi|33 Referfing <o Fig 2 hemi;-; ihorp S!!<5 iin.;4;;ai:Ki 
s-j'^«oiM'''ecf^-^f\pe'^t4,(..'>''fpu . <■ 
0' lint y i>c jutn<3 spybc >o " > n 



Qssvice being ii tSiSi stccsss sTiS-roiy area, s g a ffsrsac^^i 
3tcss& msmof;/. a 3IOS (riSinosv' f-i^jts 3(;r sf.isf1 carci 

of aciciress llnss 303: s t-onfi!!V}3t;OE-! ksy iotsrfacs 
and a dssa bsis 304c-c5rsr;sc{iiig She prcscsssor 201 , trust- 
oornpcmsrii 202, fnsmojy srsa 300, « BIOS metnOfY 
component 301 sr\0 srfssrt card sniwiacs 30S A hanS- 

50 cofprnufsicsits wish ths processor 20? iJSifiij !he bi^s 
304 

•■x;;t.-o Dy d:;;;-! bus ^.04 Bis:- utovidgd {h& a'TS csf mors 
fi; !;d Ji:; .^ oi ;vt; -r^o'ito: y -iovtTC:;; 202 keyboard m- 

bsii device or 5h«j itks, ri^odiici dsvics- ■iOQ Sfr-i's 

tisscfibscf previoiisiy; the q-sK drivscsi. keyboaid, rr-ors- 
iter. and potnlsng dsvscs beis^g abjs lo ccrtmuntes-s wiif^ 
Sisocijssior 201 via s-iid data b^s 304: ano on* or rr-fire: 
periphera! devscBS 3{57. 3QB. for »i<8!f!pie a modsm. 



connect dffsciiy io dais bus 30^1 AiiSfsnsuveiy S!-tt*tf? 
card fctsdsr "t03 may co!ir>8£:ts-d dsrectJy io dais bus 
'JO^. Gn ssch "idsvitiy^S snisri card sTMsy be stored a cor- 
rQspor:di«9 (sspectjv« Imags date whsrsh is difierenS tof 
sacn WTtfert osrd, For user s-iieraelions wsSh 5ne tfustsd 
c*TrspCff>iSs'^t s.jg, for a diaiogus bo>! moniJO!- display gssi- 
s«diKl by l^:^5 trysUBd corrspooerst . ti-js i r s^sted cojifipooefjf 
tjsKes she smags dsfe frorr? tKe user's sjrrsari carci and 
!.iS!5s this sis ;i i;sac.k8royOi^ to ih(s d«k)gy« displayed 
ot) Eh$ tr>cs;>aor 100, Thus, she ussf hsis confider-c^i thai 
ti'TS disiiogys bo^ displayed o^-i ths rr^onstor lOO is gsfi- 

«!!iS!-Xi hy tnes siXiiJisr^ •Xtf^fiOSiSni Ini:; irnSt;)!;; tSl^an !-5 

prefsristsly Cjawiy scco;;-" .^abk- Isy ;^ nui'^un ^<:invj ;i) a 
sTjanrissr et'cb ^sny iourrj.^s xvo.-o !,\- !rp-!i.xi:.^'< iv 
iippaten! V';i!.(^iiiy ;oa «sei Por sNarrsple, ins- !rrvsCi« d.J?a 
!>!i;y oor:-i5rjse a pjrjotograph of s user. The isTsage data 
c>" Uf^ n c-i-d r^ay bs <.jn(cttje to a person lio 
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avpto- 



-ncsiv 



Uo'.-- >;sv i04 ;s activaJoci ijy a viser Sijoh ibai a ussr ;-sc- 
tivatsng the cwSimJstson ksy sends a signal d^rsctiy to 
tfJ8 trusted cornponsm, by passing Ihs dsita prcx;- 
essof and Srsi msnrsofy sriesrjs o1 Ihs comput&f pi&tJorsrs, 
[0047] in one cmtjodimerss ths jxsrifirmsstloj-i key may 
piyrtpisse ;s $:-lmp!.-5 Sivisfth Oonfisrnation kpy 104, nm 
corifirrj-ifi'iior; koy c5rft,w S06 provide a prOtSCtiJd cort^my- 
fsjcallof} paiii ;PGP) between a user and ih& trysted 
oornponent. whit^i tanoot ije intsrisfssd wstf! by proces- 
sor 20t. wf-skrf-! fey-passes t^ats tsus 304 aftd wtsloii is 
priysicaily and iogicsify unconnsctsd to memory aros 
300 Of hard dish dxm msrDory device(s) 203. 
|004S] Tryslsd conrspof^en} SOS is positiorsed logically 
anc! sbysc.-!!>y op^ween (Tson!^:^r tOO ^.nci p-TCSssor £01 
ins coi-iipuisnci piaitoriVb, so that tf>e trustsd compo- 
r^srr 20c n^is 0;'<3C; cor^troi cv5; ths vIsvSfS displtsyed of> 
monlto! 100 'flhicn c«nnot !>e intsJ-:ftrs?d vsdih t>y procss- 

(00491 Tti^i ir^:s.i.Ki cO!v;potH-:f^-5 "?r!ds. its- identity and 

tfosjtsd processiss :tG the corj^oiifef platfcnn and ihe 

s Mix ' ^ r ^ ^ 



ory 4C4 ooiiisctivftiy cornp;!s:r;9 ins- srworid rrserr^ory 

means SteiOin t>s-i'offi r<5i&rreQ to. 

^QO$gj Trysted corripon^r^t £02 cOiT!pfis<5s a ptiy Sicai- 

V* ly and iogicaliy independsnt oomputiiig enl'ty ■ifD^ if$ 
ccs-rtputer piattorm. lr>ths bost n-joda herein the '.ri-^stad 
co^i^pOf^ir-t st^ar'JS a frsolhtssfooatd '\ o^'^jio 
platfom? so xim the trusted corriponont prsysicaliy 
JsriHsci to the computer piaifom^. !n she best rrKxis. «i"<a 

ss tfustsci co«!f30fief}! is piiysicatty distinr,^ ton the cofri- 
puter piatlorm. Is to say it doss no: exist sofeiy as 
& sub-ktnctionsiity of ths data processor and memory 
ma&ns comprising the corriputer piatJorrrt. but exists 
separately as a S8pa?ate physical data processor 400 

*o and sspsfste physicat rrtsmory arsa 40 s . 40S, 403. 404. 
By providing a physieaity present trusted corrpfjnsrit 
sepasate sVom a r?tsin processor of the coiTpyter snti-y. 
ihe tr!js,fsd sompOiierrs br?5cn-;ss i-said-jr ro -irn-;:; or 

*^ ps-ifioisvi. Anott^tM benefit -.v-ch d::s;'-j •:<■;>: ir:..i.i-Ki 
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Jfrspof < 



7 



13 



1i-<isrs(?c!re h high dsgfss o1 "tfusf in Sis opSiXUion isno 
p^altorm. 

Referring so Fig S hsrs-Ei. ih^t^ ■% im%'jfs.\^Q 
schsfTiSifcsHy 8 togicaf srchstsclurs of (hs computer ert- 
1)^Jf SOa The togicssS SfChiiiScStjire a sseVso basse dsvi- 
sion be?we«3rs tfje c'orf!p!.i5!5f psatlofsri. artd fris trij^iijd 
component, as is ptesisrst w^h ths f-hysicaS «!chtt<icUi:« 

c;>mpc3n?jr>t !5 iogic?5iy dislirscl ffoi^j {h« cornpuSer ptel- 
i'of'fi So which J5 !3 r>hv5<c«l!y mkm-i Thscofnpof?" ssf^iity 
compf isss 3 s.fi;sr s;pse& 50 1 ssrsg a Scsi^icaS spfscs wS^seh 

C Ci C Hi 

(y>-npc'f -vv ? V -ft j ( ^ i i 'i 

physicaiiy rssidsnton %hs ^fustsdco'jipv"; £■">: -i-! ine 
liSff SP8C3 50! s.3gor!SOFapfL!f<3i>tyc- r xt^'S o:-e 

C iilv vol ip^iiU-^ C-St"OC> r r'ib.. ! . rCO 

c-eiv<ss jrrag&s direcsijr Utxti ttmim ssomponm 
space S02. Ext^rfial to trse compuist entity ars sxtemai 
c-orrifnynfeasions nslworks e.g. ihs imemst SO?, and 
varioifs loca! afss nsSwofHS: wids uma mtmfkt 508 
which are co^fj^tSG to ib^ y^sy spaco viJi 5ho tinvers 
503 irVhicfi msy inckiiSe <Sf?e mo«5 m<xiw ports. 

fOOS4} if? !h« ttijsssd corrtponsnt spscs. afs rssidsnt 
ihe Srusted coriiponsnt iS$si\ dispiay^ gsnsratsd by the 
utistsd corrspcsnsns on motiftor 100; snd eonfirmstior) 
ssv 10-;, nput;!nci s contifmi^tion ssgrs&l vis contm-nst^or) 
Ksv infeitace 30S. 

fOOSS] !!-! 5hs i3£ist rrod^ caffymg out lh« i«v>sr^tkjn 
ins compySino s^-^.tisv s^as s psurailsy o? ■■nsxJss of pps«J- 
tion, ■&')ni:6 to iifiifiin sIMSs Dinarsnt 

p'jtif^i^ s^-;!,^ 'v - \"'- c '< f c ffts. J ta'^ks and fys-sc- 



* A j-sKtvibsr othm sl&tfiis into wisich siis compifisng 
etri% can rstovs ifOfT! thfi parSicister statS: A'ishout 
cs-bcxiSing Shts computing snttty, 

* A i-iun->i>&t o? cij««f(«!nt siaJes ?!-Qir( whch shs pantc- 
s i3\?i( cart afrivsci as. -.vilhoisl rs-isooilncs the 

Gompiitsrig anliiy. 
» The iXinnecsivi-Y of 5hs cixopuisng ^^^•!t^/ wSuer; is-s tie 
pafstc«fefsts!i5.aha! istosay. i-sowtjxany csihercofrs- 
puiif^^ <5ni sties or d«vic«5J thi> ersiiiy is connijcsis^sle 
*e io. •ov^if tSss ioiismei. a Widfi aress f?eHvof!<, or a 
tesi afjjs neiwork. 

* fiesSdciiGns x$n mpsji ol dssisi tforn S/s ssterriSi 

a CD RCK^ a mocief-r! a LAM pgrt: or the iiks. 

can fseaavso :t a CD \vr;ie( S!Oj.n->y 0:s^c d^ivs of 
exported ihfoucjj-i af^ ;r-;ts(tacs lO a fiifThsrco-Tspuier 
^^f■!ltiy ave( shs sniijfnss, 8 feoai arsa nsivwifk, or a 




» A nur-ificr o? c-h8cs:s v^'hscfi lU'sd lo i>a JTiada bate, 
ysc. enicf iha p,-5;i5Cs.!i;-!f 5iaw 

♦ A difJicM^Jy of bypassing on® or a piurasssy <^ oiiacKs 
v((hich m^a to bs nrrada bofors a mm cm &ntar lh« 

5* pattfGutersiata. 

» A <iimc.any of ovsrccs^ing. withosjs bypassing, '-^'is 
or s piiJraiisy of checks which are rflade bek;!« a 
er at the cofn^jutsir an% can enier th-j ooi-npuisng 
entiiy snio SfieparsfcaiarefeJB. 

IPOSTI Tin iruat pfec^sS m iiie compmr entity is costs- 
: posiSd of two sepsfate parts; . 

* Tfss tfusi placed in ths imsi^ component sfssit 

*s * The certainty wiihvenioh she trusted cosnponsnS can 
vorisy operasion of tha cofTspijtor {^rfSi^y. 

piacsd if'f'ihs- con-spirfsi entity are ^mmm&S as bssnt 
# reiativs to s ;«vs; tsust wi^sch ss; psaced sn ihe tfustsJd 
ftornponcni. AithOLiqh sh« arnotint ot irusJ in 3 cojTip!.itsf 



IS mti 

1i-siS tfu? ; ;ponont b«t s.-xle-ncisd te various pails 
of ccn:p:;;c; p!;5S:0!:n, With {tis Ssvsi add eYimX o\ 
Imst pv5c?d !)■) sndividuai i^fOiis oi' shs co-netissr pSfi'Joffrs, 
bsiftg cfepsndsnl upor^ Ihs fevsi and ieiisbisijy wsth wJ^sch 
1^8 coft-!pC8isnt car: nx-s^itor Jhst ps.tscufsr a.'ScS 
of the cQwpiiStog p^altoft-n. 

10061] Ssnoe $he tr-jsi-^ci af>>8s of iJifJ eorftpuiing pfel- 
to<r-s are tfcpssicSe!-!! sj;:(X( ih«: srequarfcy, si,Ki!S^K at)rf 
!hoKB;ghrses5i wit'-: which she J; component sppiiss 
« 5<st oi ffiistjjity ■! - <n 5 < rns io \M fsornpiAm 
p!a»!Ofs^-: is fi^s if-js tisci i-OiriD;;-.;.?-:^ dos-s not cosnprdiso- 

o n o^^pxi ^ < 1 { r i -c; it >.'H V 

ifust pi3cs3i3 in indiivitluiai parte ot ihs compifSssr ptafetrfs 

so ttt! abiiiity to rsaso!" mbout the isvsi ot rrijst VithiCh 
[0082| Aistsci-tgh various tsiisnds or co(npijts:r 

f!,S>5* O^n''""? ~t! t » < < i)!-^ t ffet-^O 

c-omporfSsrs space 60S j h;<!f:.N^! ievtsl,. tfiQ 

isvs>;s 05 trust FO'- sxsmpie, spc' cat cn?. pfogrf^Tts S04 

•ha c;o!f;pu!<j( cntiiy for iw- opesra-ior; which i(ivo!v--55, a 
p&-i(ctjt3fty iiigh ot con'KiontiSsiity o; isofmy. 'or 
i5)i5:rnpbj woiksng on g new business prcipossl. estiin^ 
pay 5s;$(ies tor smploysss w mmWm c^ere- 

■iorjs, sh«f? the humm imi m»y becofne wofried about 
snlsfif5§ such sSetaiis orsio She computer platfoim be- 
cat!S6 OS" ths nsk thst ihs confidcnSiSSty orsscmcy olthe 
intomistson m\i become compfomissd. Tfis conftdsnSisJ 
liiJormstich mtisl stcfeci in ths computisig sncS 
ii;l3;^ds OS' rjoh Sfust may no; sstsnd ov^t ttie 'Atiote corsi- 
puiisig piaifo!^"?! unifcriTSy Sfnd sviij-s {i-se ss-fts doj^fss of 

access particular sreas or im% cn fiio computtn^ ptat- 



o? irtis? coffssponcitng to ctifistfeni stv^tss may bs diffef- 
§r»s ffOiTi each other, 

|006SJ Retsfringto Fig. sh«:fs is iiitsstfateci scnsi-nsit- 
iCisSiy a set o? physic&i Siio locjicai rssoijrcss avs-i&tsle 

s to the cornpuiing antSy. sn the genera! css.o, ths cosri- 
p'Maq Siittty comprises, a pturaiity ot snput/output cievsc- 
«e SOj ki? comoxinica-stig with othar csxfiptiiJtig iXiistses, 
eKSi^jpies !j!.ich dov!c«s sficiuding a trxidet;-!, a iocet 
sr«e fiotwofi* post. >m Bbuxr-ei car;5. is hf-rd diei^ drive 

«e 203. e floppy diet< dr^vs;, isr;!3 :5!Tiar! ;<5«i:tor cfevice 
103: Hi E:iiJft3iifv of :■n^■^r;!o^y a!i;.=!£ 60 • resident of^ 

? ^ h.Hv.< is - ^ <. f N . !! it.h, ^ \ 

C ' V A M ? s u ^ ^. ^ 

ptieaSic?^ programs: 507 -609, 

osifriSd out. For sx;Sfr;piS in a tirst siaJs. Ihe cGmputing 
ss •5nS!t¥ fflay operate ijndef siontroi of a tirst opssating sys> 

■soris cspjibititiss -Of s;xari)pi& !-(;£Xif;!T:;5. (Jh^k rinvijs, lo- 

5?c.ono 3<S!t of Pi-ita ui^s afjd « Sijconp s>2i o' iriptrt-ouipui 
rssoyt^es, SisrsiUttly, for successive ts^ifd, tourth sfeiss 
tip to a toui mmbBt of statss into whic?i the con^pyting 
V* sntisy can be mt. Ttior e be ovsrfap botween tho fa- 
eiitt je§ avalJabSs betwssri tvsfo csi^srcnt states., i^or sxam- 
s;ie. a fifst and sSiiood state may ''S-e ssr;"*? opevaiiri.;) 
syste; wfierses a ttissd etais trsay use a pitfersr!; op-jr- 
atlngsy^-g^n, 

ss |W7| Rigfmrifig to Hg. 7 hefw, ther« (s litoiratod 
scfjem^flicssiy a s5at« disgrsssrs fepresenling a pluretsty ot 
siaiss into vs^ici^ the comput-'ng entity w^' "oa ptiscsd 
if? princtpis, there is no hr-r-n to ths o^irnbsr ot OifisrSini 
states which the computing esitity rr^ay bs piacsd, btjt srt 

^0 the 83iJ9*r>pis shown jn FiQ ? throe such states are 
shovsfrt- in the oxatr^le of Fig 7> she eosTipusing entity 
!U=5y be placed ir^to a first, trusted state 700, a second 
stats ?0t oeihg a goiierat p!.irpQS<s urttrustsd stilts and 
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if! she corJipuSsr BiGS Tns ccwpyiisig ersSiiy snay ariSijf 
eunsf i!'!Stfuslsds{<5ls> ?00. ihssetaxi stasis 7DL of the 
third sjsts 702. dspsncjiog uport hov; the SfOS tils ss 
ftontiguf^ Isi best ntcds hstsin s user of {i-se eofn- 
puier sfttity tias the option, pfovidsd a& H nisn« dfspi&y 
nxsiiSo!" 1 0D diissns; bcot s.'p of ihe compiler 
srstsiy, c!- as a ssiectsbisi opVm prosenjed JiS 8 sc!<s<5rf 
icof i. wfisfi in any sfeiS.. la ontof sjslhef ts© Sfysisci st«l« 
700. Of or>?: o? sKs oiiw sUUss ?0n, ?0g by setoor! 
for sxasvspis or-i turrs on , ths BIOS may be corjfsgumcS 
•0 ds-fsfij!} SxK? ijp ro thj- ss?ixsrtd sfete 70 i Once !« 
ins ssK-onci SUSU: i;;-;;;y' if^s^.■ f; di'Scfcn} ;5i;.:io 70D mi^v 
rsqs.iifg a !^ey input fmo-! a uss?; wfsish fi^gy if^voivswJrs 



c1 trsiccoprcxs-ssof 201 )& s.si.-'ed by ;; •& 3iOS corrpons:ftt 
3ij'i. The tf!.:S5ed cosrjponesil 202 iTssasums a &ot ot isi- 
tegfity iti&ttic sisnais trosri the BsOS 301 . to dsSefmsfi^ 
« sts5;js ot the 8i05 30 J i;) step 891 , Ihs grepi^tcal user 
insssface dispisys s n-senu optio»i ?Of sniiy into a piufalliy 
<S' (}ife«Eit sJat5J$, Oi» oi ths sfsies di5>p!sy«J on Mi 
is a ttiJSjSijdstjat^ as doscsibsiS i-s>!Btr\ bcbts TYtQ 
lisst nanysiSy 8 stetg in wi'sich io ssntsf by ysing 
th& Ksyfeostrdof poifSllng dews sii the grapfjicsi yser ki- 
tsrSacs. iot sxample by ciicksng a poinSsf scon ov«f is 

t^rfiattveiy sin ay-ofnaSie sstecSion oS a sisis rT^iay bs 



tfons on if^es k-sybos-Ki. by viswifjg Shs (wnitorsBd (jssni; 

- ~N . ^ . - v!;s*iownscn«fri4sS5cgiiy8sssi«ct 

|00?0] In orcisr ioents; thstfusssd sisss ?00. th^com- 
puter sniiiy musJ ijs siihs^ fsoolsci vsp fof ihs fifs5 iifne 
a?5«f turn on process 70>'! or rs^boolsd via the BIOS in 
rs-bcot piocesji 705 i'^s.-bcfot pfoccis /OS iS v-?.y ii'n- 

wiihouJ h-sving -o \>mo pc-wsf ot cr-:xfspi:itng <5(!;:ty 
0^ ViSfi a9;3)!i. To Isavs the 5nisi«d stais 700, 
cosi'!p«5ing sfJiity stssjsS again fefer ?o Ihp SlD$ 70^ 
\^4>(cf V invoiv^s ayJorrJJsSic mof^lom^^ {b« tf\iS5<sci corn^ 
pmm\ 202 in nxsnltor process 70S, Simiiasiy, m-ixjotfog 
via ii^s BSCS if? process 70S invoivse sutomlic ftioni- 
iofirtg by the ifystsd oomponsnt lr» rrsaiHomg pfocess 



siaiis. One;.'! m 
sjals. the ussf nas accss^s to a s«i of physscai snc3 logic&i 
!eso«K;sss 81 Jhat siato. For ssiampie, in a roiatfysiy in- 
V* secyrs staiS: yssr m&y Mv^ full intsfnoi a«c««s 
thfougb « modesn dsvfcs cofrsprssng the computins sn- 
tiiy. (tiWf- have tui\ scc&ss to om or a piuraliiy oJ harO 
di$i$ dtiv«s OE CD t &a(:Sers.''Wfitorg. and m&V tos ttJi! ac- 
coss te a tioppy disi*. (.UitfS, as woli tmin^ acc^=5s So 
ss g pfof aifSy of pro-ioadsd twBrsprciaily svaitebi« appiios- 
tions progfsfns. Ors ii^^ other ^ujnci. ii !}i<s yssr ssiests a 
trusted state having a feisiivsiyhigii levslof irusi, sn ;f)at 
-sMs ths yeer srsay have avsiiabis a smgis opsraSIng 
•sysiesTi, & iirr^stsdsst o? appiications, fo; ojiSi-n&Ss a vvo;d 



T0071] To isf-tvethetrasted state 700,. tr^strusfsid siaie 
csii only bs? isit siti-itJr by -yrning the powsf oft In powct 
down p!ccss<5 70?. Gf by le-booting ;ns.-cci!ripijtitt<s entity 



in pfocsss 704; botb oi wttich irivofve 8i.tetr:^t!C nwl- 
tojsnp t>y sii^s trysteti compofjeftt !ft frKsnttoring process 

708, 

1,00721 R-?-t'r: ing so Fig. S h&rein: thefe fs iiiystrst^d 
3 rise- \ .Lvi:'\ i nwei tctiowsd by ?t usst ti'^e 



a pfsnserdsvicg. bust si 
a fsoppy dfsl-; d^ivc 
Sacii sshJCtiOi'^ oi 
piit&f may be booi^?*: 
ixation 05 ths- .BK?^ ■ 



••3Cii-5b=«CiOSk«f!V€f, 

:i rnav be< rs$irscsecl. 



10 



IS 



s$ate (:'QV}, at mo Ihifd sisEs (702), m-s yssr rr^ay rssvi- 
qals {rem ihat state to sf-tothsf sMs in sisp SOS, tvniCh, 
in the fcss-i mode irtvoVss f^-bootsig ot ihs compoUny 
mmy vis im BIOS. 

scharisfeily prcsc&ss ti&ps catrssjd osjj by Jhs cofnput- 
lo$5 ejiJi-y for smertfii; v. ste-a via ixjot prosiest 704 gr re- 
b<iot process 7{35, 

fO0743 in stop ^00. iho cofnpuJei sftles s a Oocsl up sm- 
»!tf set tss s fssyil « power supply 5o corrtpuiif?^ 
orsSiiy beir-g turned ot, o? ss iJ fssoii of a yser sriputiin^ 
;5 !e-;56'; ifj&ifuc-kx; s:i:^:;:j; for^KaropiSby ciickiEKsf- poinf ■ 

;fi1S!};~:ai OiJS Xi4 Th§ BIOS COiTipOf-SO^ .TC : ;-; 




o; ths 8iOS, shergby sftabiins tf'tsrd psny antiliss \o de- 
len-nine a tevsi of tmsi vs^^^!c^ thsy frsay sOc5csl« Jo tl^e 
eompyiifig sjmlsy, 

|00?S3 '^^^f^ are $8v«fgi ways to imptefnem inisgriiy 
m&tfic rrjsasyfsmeos of tns ^DS. Irs ©sch cas«: Ifis 
tfusfiJd compoTisnt 1$ ssbis to obtain s digest of a BIOS 
tite vsry esriy on irs ths booS up procsss of the computer 
plstfofrfi. TK& fgllowing srP e>!ait5p!8s 

* T^^fi 8I<3S compsf^snf: trsgy be pfoaidsd as part of 
ills Sriiskid coft^ponent 202, in wfilch ffie ard^itse- 
iuf« iiiustfatsa if? F)§. 3 hsfsin is modif!«Kis«c*} that 
BIOS 301 mfdes wi^ln tfasted oomporssnt SOS. 

* T"he fifst processor 501 of ths ccmpylsr piatform 
may exscuis smmediately aftsf: rssst> sn iritomsJ 
hfrmmf^ cosrjponent wtisch cofrspytss a djgssl over 
a preset nrssmory spacs occupied by s S^OS fila 
The first processor >rVf)5«s {he digest to 3 priest 
n\itv:0:V 3pi*oc to vviiioh ooiv t!-!6 fifsravgrs cos-f-po- 
n^f-i IS. fibis to W: ;t8 (c ■hat rfierjioty sptics. Ths ftfst 
Qro::(;SHo; sfiisd? JiOfii ilisi i-ilOS fiis in otdsr to tsoo? 
i ^ \ . p.rti\ftfi At ajty ts!k-> <^fte)W(if£is<, ih^i 
t;:.is!<;;c; co!f:pon«ifv; rsatfe cMa Sram 3 preset loss- 
iiiM'! v.-ir;:;-; •!■;{; mesfTsoty spiiftss to obfsin 8 dt- 

* The tfi-iSLsK: co-PijO'i-on- n-iav t;e pckirssscsj a 
rr^smoryiocation axvpm by BiOS 301 , so thsHlw 




■etorscJ irs the truststi compoinsnt. 
'rhstfifsJgacomponsnt may montoa nismory cosi- 
l:"0i Sins land a rs&«>t i-io and i/fsrsty ti'sat ih& BiOS 
conwnent 30 J iS il-ss fsfst (V:s(Tior^ iocalion sic- 
ce*s«d attar ii-so corrtpiitot pJattoriti rassia At sc»-n^ 
atag^ so tt^o t>;x-i psocosi, tiic 8IOS sassss ooatroi 
to ths irustJriS !x.-nij;o!ss3nt jsnd the ttustfxt compo- 
nsfjf cayses; ih« YuaX p-'exjsjso; the conpytsr pist- 
torm to c<3mpi;te a digest of tho BIOS stfKi tety rt? tf-ss 
digest to the trusted corfjpor^ent. The process ol 
cons>!.iti!ig the digest arid writing the resui- to Jhs 




sy£;s-t5 iS itsi>t! iosdod by ihe BiOS progfarri infeg* 
rit> frt • o>t tti^ cpcfrstiBg sysif rn ioad.09 p.-c-t^'err! 
arsj ^iisc! rneasi-ired by comptsiing a ciigast of th« 
V* Ic>a<sin9 prcgrarr?, 

^676] In cYiR <jf?-ib£Xii(nes'i,. t;xis!e(S coniporsani ;?Q3 
may iptsrro^iate sndivjduai {;orn!Xjn«nit of the <>:>r.npij!«i 
pl8^«)rrtv fr> particwiar tjjit^i <li3kd!lve trxtoproses- 

35 sor 201 . ;snd BAM 301, fo obisifj data si^fjais dirediy 
froff} those toi^Mdua! eornpos^ente which dssohbe ihs 
aiatus and condition ot t i:^c^8 oamponents . Trusted cotn • 
ponerst SOS m&y compsre ttis matdc signals racsived 
from tha plyraiity oJ cotnpomfiJa c! ttie computer entity 

^0 with lbs prs-fsoordad matric data stored is-s a !ria;r!or;/ 
arsa te«arv>3d ios access oy th§ tfij&tcci cornpc-i-ients,. 
Providsd inst t*^e si9!-?als> fccsived trom shs cornijonsnts 
ti-te fsxnputsr platterm cdrsctcte wtlh ar^d-mafch ihou 

^$ imstssS coriipcnent 202 provides an output sigiial con- 

is epetatios coirectty, that js-io say is trusssd, 

10077] in step 905 BiOS censjiytos fTisniJ ittspiav on 

i«. p-sphicai iisar !«te^1^=^cf^ or date sntry ijsing a pcsntsng 
device, ;&g:. awtjsa 105: Ins SiOS fssasves i^ey tfiptsis 
frofB s user which instruct a stsre in to wt^teh to boot in 

S.tOp Ji04 "iilO ti!J{.-i'XJ COfniX-VX.V ,5 OC-rit' ,3 
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ssparsifi! tftpi.!? tfom corsi'ifmstion key i04 rsquifiog 

iniSfrss! bus 304 of the coo^pussr s-ntfEy and accesses 
Imstsci cofr^pcftsns 2Dg difsdiy, in iidciiiw the ijssf 
ksjr' inputs ssieclirtg the state. Once the BIOS 301 h&s 
received ihe nscesss^ ksy inputs snstiUCSsnc) A't^sch 
sjata fs rsquisecJ, xha proixfssirtg o{ Jhs ssi of -xioiiji-jrij - 
in>5tnx:iKX!S skssed in BIOS 301 z>co\m by rnicrc- 
p;(>:5-;;-K.-- SOI i^ncJ !f::;tf>;c,t« which on«: of o s«M o! stet« 
c;i;;io:;;> 5 ■■■^f'^c; SiOS fife, *hs co;f5p«s$f pia!?ot?y( 
vViil cc;'-f!!.;!.;f<.-' .i'sc v ■■<: ?.,-a->-. of 3 pkft.-^dfty o? &i3t8 ss- 
isdiens i!-5to 'A'htcn 5hi5 corrtpui&r pfet-osin msty ssfs>t m&Y 
bs sloftKi as sopatalD booi options \v,;f!!r> BfOS 3Cn 

corrset: fOiUine of SiOS fiie 30"! *s S'Sisctsd t;y Ens user. 

ostitis: computer pistform ;r!:0 «n ope(3.Ein« i^ystjnr! o? thQ 



^f:<^ ire jftt» ct i.-t^ iOftd p ogmtr Vihm f& isstJ?^ tc sn^Sali 
ttis opersstog system, in step 907. Onc« irsthe ssiecl^d 
state. tfitstEKS cofTiponsnt 202 continues, io step §ca to 

•-!VJ.sS!jfijr-i>-r)i ;f- • >r ;S>s> ■ss-lectftd Statical' 
■Biuo^iy, |-xsKtnji for d;sc!<;f.-ar-ci*i;. i'ayfe, sncJ vatiiJ- 
!)«n3 layn Ihe wnnat expscted ^;p«r8lfc»i pf the ecsfrspy- 
tef plat'ixtTE wibin Mmi stat^. Six*? intogftty rfiStSsyrd- 
snsi-sts stii stskSs fey {ryst^ cofttfXJnerst gO£ 3<snding out 
isilerrogatton signafe te mdividiis} componetils of ifie 
compoJe? pMorm, md receiving fsspcrsss signals from 
Ehe mdivsdua! eompons«ts of ths conipuf^i' pfatfc^rfrs, 
wnich rssponse s-ignsts the tmsted component may 
CG'^ips,}^! v»i5n ,« pi««8te!?n>!!SK3 p'S^Oi^ded se' ot expQCt- 
!id 'ssocnse e'csn^sis coffssporidsnp to lix^s psftiCLiUJi 

co:r!f:..;.r;.5f;; ir;*; !Kr;Er--^;O!T!pon'-5rs;202c»n-!p8resJi-se 
iniegtiEy rnsEfti^s. sTjs-ss-ursd Irojrt the cosrspiiSsf piatforr;^ 
in t:hs sefecu&i:! Si35« 'xm tt^e ssE of sntegflty o-i«>rrici> 
tHiSy rv.^'v^, iO 3'-' i5xv> 3i, 'hi> ,5. >' a''o r ) 



sjefofs f>oot ijp by Eh« BiGS compos^ient commences 
Hovvsver, !?■} Siiternsuiv^ vafiations of ths; best n-jods ini- 
piQfnssit&siOfi dsscfsbed hsresit, if is not nscssssry for 
tfis trusted cotr^ponertS to obtain cofttrct ot the boot up 
proosss, ijijt the trusted corripcs-fent dosii fi-sonstor a 
cOiVipiii'-j!- piatfOffrs: aod in partiouiar the BIOS compo- 
mtni 391 By (txsfjiionrsij th« iximpyter piisliOftr!.. the 
if!j5tt!xt cosTT-rxisxioi sKii«?> <;tet« which dascnbtss which 
SSDS ops!Ot?s hav« bi£s<sf} y5i®d to boot th« coftipytsr. 
im wi?ioh opsrattfsg syste has bmn 3<sft!i;t?Jd Ths 
tf«stsd compof?«r)t sfso D-iOfiitors; ths io^dms prot^fart^ 
liftsd tfs )nai;sii -he opSf;3;tin« syatijrf!. 
P<i7S] T^«re wiii now Ess descisbixi an «;xafnpb of op^ 



jiXiing over a plumbty c 



i»fnpi!t!!S!; enSify into a irusted state 700 as hmmn bs- 
fofcd^scfibsid sn s iis-s- boot process lOOO in 'hs uustso 
slaEs. ^^ie os-tii- conimsi^ces a fitstssssiosi ^ 00" of osiags 
of stifi! tompui'ttg ©nitty, Wttfiln th« session, bsotuis? ttis 
cofT?put«f pytorms5feQoi8d!ntoth<sify$ted3i;!t5, a prsJ- 
deESftriined set ot logicjt! atid phystesjl resoyfcss are 

V* avaifabio to the user wiihin that trysted state. Typicaity. 
this woufd inclijde stccssstoaf! operating systsfi-i and a 
pr«(Set'xn-!!0<xi sslectton ot appiicatois. Tfis i{:-v<5i oi 
trust w,<hid} sppfies to -ho irysted st?ite varies (ieperirjii-ig 
lipof? th» riyrriisor, cx!«if>i«sjjy snd reilaijiiity or n-a phys- 

M ic^land bgieal reseuf aes iwasli^lsSslo the yssrvjilttirr 
trusted ststo. fof sxisrs^pf^, where She irusjed si&se is 
oonfigisred to use a v!fg!!-knov.?r? reSabie operatsts sys- 
tsrri; SorsxafTspis tJNIX, and a retiabte word pfooessifig 
package with minima! aces^s to peripheral dsvices of 

^0 the computer pMorsri tJSing perr^iitfed in th<2 trusted 
?t;atiSi for exafVjpie no access to ntoden ss. arid acooss to 
o>»Vv Or!\^ ^si c ed X si>"ct f Jtn6 ^ '"D 
writer: then this may have a roiativsiy ni^ dsgrse of 

# aygsiabis. Ihs iHiSt Isve! wouid Ds ditfsrent to that in a 



tthss« 



301 Dufii 
3n isppii;;. 



may nave seoontiCj-jiOd the appiicatioris ssnd^o 
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msy havs bmn tormstistd wilh cm\h:ri \]m spacing, fo'-a 
stytes sSc To avoid thsss ssS^gs bssng bst on iessv-rtg 
1^8 trusts siois, huch SQt'JftCjS comp()Sin<; sssssoft tist«s 
1006 my bo s*&fOd dii'tn^ th® scssc-i-i P'snsisfS^ 'c. 

ing tost (he oiiSpuJ ti3«! date rsisty be stored di.;; ing ih« 
<>ss{:liXi. rkms-jGr, ihoysgf ssssiw 1001 csjiy exssts si 
!Nv ;ryst«>rf sU3S<! as Son§ sis tho Irustod s{ate issjcists.. 
Thfjfs-fore. lo avoid ioss of ssnings ar-d dsi-a from tbe 

firs;! sassifjw lOO l ■!) tttiJ fmsted Stete 708. Ifm eiit^5!j:t 
LJssr dsia af?d s5Jssj<sn date mus! !;5ored as stereo 
ouJpu; user <teia 1007 and ssrsd ssssbrs «teta 100S re- 
^pscS'Wly esfofs sh«; ifustsci steis ssfi tys: exited. Tns 

Wfstef psi'tphersi for -jss sn a Sunhsr {iijsesssivs sesston. 
Ci bs sncrypisd and ssgnssii and then s;8v«d m a (sMi^ose 

cotrspfinani andic- 'he iirnAnssiid. Exi- She 

sower dow!-; pwsss 7Q7. in ;r-4: i S!Of 5;-3-5i:on k\ \he 
-,f ys:sG sUisS, pfoces^ssng oi usst Irspnj (iau ooc.:' s xSnsi 
ttss oirtput of th® process is ihs o«{pat procssseci dstet 
The pfocssssd tista sJorod sfier procss^ing o? 
ths data hsslsssif^ioatediiSftd feetor&ths session is gf!d~ 
isd.. and baSofS {hs trystftd slstte is eKiSsd 
f0082} Refer ring io Fsg 11 Iweio, SNre is fcstfsied 
&;hO!Trt8t(c:aH5f opssafe of the corf^pvfiing enJsly on s 
sfiico!>d day, (n a ssctsttS sesste in th^ sams tfusiod 
stess 700 3eK\'(S«jr. jh& Srsi ijnsS ssc-ond sessions the 
rnistsQ" stale 700 disappssrs oompissoiy, since thecom- 
putir^g snliiy isfivss T-z- ■ rusted staSe 700, 0?^ iesvin^lhe 
ifoslec stale 700, spar- iforii Ihe stotsd output user dass 
as-sc! ssofsd s&ssion daia ihs compuief pfalfofrrs savss 
! o "-iio-^ ri ■ oc -x - - !\; trss tj-ysisd sti^^s o5h«if iiv^ii 
t?>^t; -.vr^^ch ;s p!6-p!09f<5-iir:ed ijVio ihs BIOS 301 snsJ 
rf>e l-->.sri:!-!!5 pi-Oi^^arj-is and ihc JKist'Jd co-rtpoftent 202. 
Thersiote to; as! praciics; p!i(»05es. on powsr-dovsn Of 

the absSsty ic rs-sntss- ti-s tf usisd sisia 7QG ihfcogf! a rssw 



ealS uplhe sasmsppiicate 1 002 as prevsousiy and may 
e!t«c1tvsiy corsirnua tr^e w>':k earned out di-snDg the f'l: -jJ 
sssssoi-s in tha ssoonci sas&io--i 1'!01 . Howsvsf: tsscaosa 
systifi^ ii~.e iftislsd siara mvorvas Eh& computsff piatfomi 
in {XiirnpisJto as-!inssia o{ a!! evanJs which occiji-.^sd during 
ihas Siusted sirui©. stm th'5 sSafe mss t;esn it 
if!j5;j!xi«tei<5 ii; r«aciiv3t8d 8ix3 She new ssss'csi^ !S coirt- 
m§!"!oe<i, the apiJsiealioJ"! t002 has nsmernoiy oi lis prs- 
vious configyKnion, Thcr«?ofe,, s-ofed otrjpyj ssssiof^ 
dat«s tOOS pfodsxed a! the «!xi of -fie firs! s«3s>ofi -sOOl 
!-n!j5,i bii s -pii! *rt?o ihs; S;ftix;!^d :5e;;i;!on 1101 orrfaf \a 




caulmuhi-on »r. jhs t;fst sissstcn. PraisfSs&iy, tnJsgrsty 
m;;a&ijrerrti5n; chs;cis.s SiiiS psiiafrrsed by ihs trusted cofft' 

■hi: s;fT!8!t(;a(d or iiiorsigs snacjj'jtn, bsfofss that mia is 

caU3 ; ;02 ■> snsut by ii-ie and ;;hs fynii^r daJS: is 
proc$:3sed tc^gsii'ssi wp:h ine siofsd iirss OiJipyi dsUi 1 007 
acscordirsg to the apjSiicatiQn 1002 ooniigwresS according 
so \hQ first stored oyspyf session mi& 1008 in process 

V* nos. Processing of tho daf,% 11G3 d^firiig Jhe second 
sssslon -UOJ isi^utts. n s new ix.rpui us'jr dsrla ff04 it 
ths gppiiSSftiOf: o; c-p&J.aii-x; •;ys.■;^!n i>-! shs; ssc:;>'id 
sftssicJF? hascharivjed srs c:cni:;^i;?.;;lor; dyrsng :5S!;;o.'sc' 
S0SSSCS?. shss (&so!t« *t't a rssw sii§§icjn daia iiOS. As vvah 

ss tf!8 \]r^\ ssssidfj, in order ?o closo iho session wSfjotsi 
iosifi^l the seUinge of th© sppiication pfo^ram, and op- 
erating system, and wi^out tosing Jlis benefit of She 
vi?ork oarnsd oyl during slie second ssssicO; Potn fi^s 
rssw session datiS i tOS arid ihs new output vssar data 
1 104 «&{JCi to b€} stcfsd Thssa data ars stored rsspac- 

ste.rsd new ?©3siO!' data 110?. 
[0033] ths a--!d of ths sacof^d s<5f.sior;, rins ssision 
o'04fda**3' lavi'^C! x * k ^ h 
*^ second session, .and ih« Ui.!5.;-5d 6-ia*-3 is <;.:<!■<;;; vis .h 
powar down process or fs-boot psocess 706. 7D7. Aii 
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stale-. According to Ihs afecvs rrsethod oi operation,. 5he 
imsfeci s.L-3te ?00 fvoy sicf w.<5« soy rsijirtbsr o? tfrr!<5s, 
arid my rtufnfosr cs{ sessions caffisc! ouL Hovs'svsf. ones 
?t iisloi s-!,5S«;> ss exited. trLsstsd s^ate h£«s no inop-s- 
o: y o! :>ViC': s&j;sio«s Any ooE-ifigijratis^-! trss trust- 
•:3i:i ;;! ;u-5 ri^u^:; ;x; by new inps.'t of tteta 10Os% t1D2. »f by 
iiisaj^ c;! ^-ovIiXiKiy stored gsssion date Of M$st d8ta 
1007. V,06. 1107. 

fOOSS} in }he above ci«serfbsc5 sp^seillc sTspisfrienSa- 
•jofjs, spisciflo >^«ftocis, specific smbcsdimsriis stod 





$«i.3 ?'04or ifS-boo; pf;XtJ;5i n ji-s s-ui-seti it 
ussr $ot$f5> it fiortifnetnci tc caii up a tfiisteci compcsnsnt 
contigymtion msnu irs stsjj 1201, Tiis trtiSlsd compo- 
rssntooofigurittion msni! cotriprisss a 8«t of hstaictions 
stored in memoty and li^^iifth ss eniy sccessibis via a 
5r4^t«d steste. in ofds? to !mk& ch8?>8&s to ti^ie fjiensj, 
vaf iotss Jevslis or^xsurtty fxiay b!> For ^x^mpte^ 

a iissf ffiay ssquifSKi to eolef asscor&passvwiJEdi for 
sx-ifnpfe !• ps^woi« comptisirig nytribigts sf^ci i9S8r$ or 
ot^s&f ctistiKit^jrs ff! st«^3 ISOS, Tm trusted wrtponsnt 
monitors ths trustsd stsls ffssm which ths trusted com- 
pmmt esn fee rseonf jgumd by ecrniJ&'liig rrseasufsd ior 
Lsgrgy rnstrfcs fron? ttie compulsf pfstfoi?« wi^itst in the 
trustsd state, with ths &st of prs-storsd iofegi-sty jTistfics 
miah th<5 trustsd son-sponsnf stems in Us own msmofy 
si^a Th>s tiuSiSd ccsriponent wiii not ailow s userto re- 
conhgofi5;n^tj!j5.-.:;ci coirpcnefst unissslhgints-^fify 

rnetSiCS. bv > U-iJ'^Ee'i COnipO!-;S;-!t WS-sSCf ths 

corripuiij;- pi.a;!<;i!T- is iis tf!js.t'jd state fjc^^-s ¥i,'f"!:cn ttte 




ift StSP I30a toilOW;: :C3 WniCn H u-- •::\.;sti;0 CO=r:pon$f}t VOi' 

ifiss the idos-itity oS siie iser Dy ^tadint; data from ths 
Sfrsart card vssi s-n^'sii caid interface 505 AdditlonaSiy, the 
user nisiy be ■equijed to input physscsti oonfirmatson of 
s h!S cf rssr pf^&Sf^ce by adsvatton of confiftriatson key 1 04 
piWiding dkect sipot into tfustsd componsiSi 202 as ds- 
sciiisod witf"! reference to Fig 5 t}eo>n in step 1 204. DatS 
desctiSjing tKe< trustt^^ esiste for ssxafi^pte. when opotst- 
eystem to ues. and whsch sppliastws fo use. E^f^ay 
fes etof«d on {h« Sfnsrt carci snd tJS«d to boot the 
co'^puts? pteifoim the tfustsd st-sis 
POSS) Om& iii-i sec.jriiy ■..s-issci-:'; ;'X:tii:>;:;-:;5 'hs; ?:;5S5i- 
woid vsiitfcaticn t;y s.mur; Ct-<fd and/or j-sciiv-iuc!! of the 




a vfssr «r(ay f(?f wt ^o, o i - v fs cc ^JCfr^jo 
mnt Fof sxitmpie. a ussf ■ • ivtiiyr^ i^o ir:;<sgrrty met • 

V* f^cs usest to monitor the co.Ttpi:te) patiofs-n 

|£KS^| 8y storing predetermined digest dsta corre- 
spondiosj to a pfuraiity of imegnjy mific& pr^smt in a 
stsfs tnssife ths trsistfid cornposisnf s o\m\ rm^y. tfjis 
rt^ piWitSg t^e tfiistsd eOfnpoftsrst vtath datis wttich it 

ss rf5»y corf!p«re with a digest data of a statg into wNch tt^ie 
computer piatferm is tjooted, for ihs trusted cotriponenf 
to check that the eon^pt.«tef ptatform has not been booted 
Mo an arsauihori^ed state: 

j The tfijsted component pnnriadiy n^onitorsboot 

^0 sip of the compiiter piattoirn The ir!.is1ec3 ccniponent 
does not «ecassaniy tat-ce aoH^ol ot ccrnpLrisr pi^t- 
form i? the computer ptatton n bcois :nfc ■jnsa-ijon.-'sd 
stftta a!tr!Oi.!C«- >r - - \ -^x s x 

within tftfictntssed componsrsr which cnabiss the ttustfid 
ean^ponsnt to latce control of ms conipuisr psatlorm if 




t ^ J>- ft ^ t. ^0 I ^ 
tne EfUiJl&ci cooxaoneni i5«to.'-5 actuaiiy ioadsng Stis appli- 
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Uo<ri -r-a i. i If .! K.;r!>.,n«;t Th? sssston sr, 
siale e)i*sLs orily tsnipot^tty memory, tot sxsmpie -^tv 
<3om access iTierr^ory. which -s rssst wh<5n trss Uij^jfjcj 

|0093] in the stjove dsscnbsd impfem^rttsiSiOi-iS, aver- 
sion oJ a axopytef emiiy :« which s tryssod cornpensfit 
fcsti-^?:-;? x'iShm a vicJ'X'. pistt to <j visiijxii dssplay -fftti hsve 

p;s!h to a visijai display tirssL si wnj be ufsdsrsfecscS by pet- 
soris sksssjd m ■.h& &-t that sns; sibovs S3&s;t mods ifTfiie- 

|§084| in «3s above deisccibsci best rnods eoibodi - 
msRt. rrseSSiods ot opsirauon have besri osscnbsc 

is; rsqus-'Sd in order so aniet a pssdicijia; as&if&d Siiats. 
f D! sxarnpfe a ussr snpui sviay i>fi roqs^irsd !0 spscsJy a 



:■■ pi.-: 



earvi. w^sich sS UfsnspodaQie iwivi cofnpute; piasiorrrrSo 
ccjrnpuisf pi&i'Oiffi. arj« ivr-ifci-i t^s liS'SCi io boo; up a 
compKter pfeiiOEfTi mio a pmclsssfminsd rgqviired slats. 
The smsrtc-ard rsssponcJs a sst o1 $xm s^issctfors cp- 
?fOs>s pr&ssf35«ci by « BIOS; aritS selects ens ssS a pkira^ity 
of oifsfsd choices o1 state. The BIOS ccs-ssains the state 
$9>{Sil!«iSi avaiistis ami s ssa cf ioadsng progtams as- 
•wsBy u^stat! Jhs vjissous c^fist^Jiog sysism vsfhicf? f^re* 
vi;fe ih« siafes. ij> frxscte o- op^rsliotK rslher Warn 
daia {i««i;nS)!!>g a pt^deJ&ftns-jeci ssa{« beirsg stored 
wilhifs Jhe fif&J (nfitncsty arsg d j.hs tais1«d corr^sxsfWtU. 
and ths BIOS system obtsining that dstatfom thetrusJ- 
sd corDponeni irv ordsr to bast the cerrsputsr piatfof m up 
:!ito s rsqtiirscS preclstsfinined si&ie^ Ihs ififoffTistics^ can 
bs ac.c8ss.scs Iron"! s s«w1 cafd sntemci inJo She sm&tt 

fOOSS] Using such smsisl csrc! pr$-<;onfigyfec} wiih 
dats lof s«.5isct!ni5 on* gs a pli-«<>S!ty of pmdst«srr>insci 
s.sa;e-5 « us---^!- ci-ssrying inth'A card may asiivsts Sifty 
s.i;i:h ccnipiii:!!^ coU{^ i-iav::-;;? .s t; iJiSiSd oompds-isnt and 
co-rsputsr pifilt^fm as doscfsbsd nfisfssn trsio a pfcsdsier- 
miiisd f;!S(JO ss spsjcifisd by 5he usst; wst^^ knowSjidgo 



OviS sithsf compiivng ssrsisy fotfjinns any o$ irss proc- 
dsiia or sossion corsiigiifffjioii dstJa oi !h«! pfs- 
Al«S8m^)fisci state. 



8 ixsnputef pfaten compnsiOf^ s ssiufai^/ oi 
p^iysicfs! and iogicai r«sourc«is tncluding a firsi 

a monfioisnj} conponsnt co'i^ptfssng a second 

dfiis o'ocessor snd 8 ^sjconci msmorv mesns: 



M ds-tsrmins Vihmh : issid pUifssiisy ot states ijad 
sefrsjssjter pisutesm fispfefstas ta 

Tbs cempaSing sniiiy as clsifried in claim 1, ¥4"ssr®ir) 
a said msmcify meanss^jf^isins s set of insin^t^^^^ 



(ssi rssoufses o? said cQmputsr platform itno said 
pf si^s gf miosd stats. 

3; Tbscompirting sritity asclaisTisd io efeim 1, innsfhich 
ax>t of «istid compt^ftr pistforra tfpm said pra-<teis3r- 
ftwd state n^tinitofstl S;sy said rtiorilioang cojifi- 
pOftsrst. 

4. Tha corrspistioi? entity tss cialrasd la siatm 1 .. whsrein 
said iT»onftofing component inosudss a BiOS ;iio 

5, Thsc«rnp«t«riggotstj?ssc)ain-!SCSsr(Ciatm 1 v^i'nsrsin 
said computer platSorsn compfises -^r^ isrsc-rns: 
firmware con-spcs^erti configured to com&u?« « d;- 
gssS <feta oi a 8!0S fils dasa «fcfsd p^■^deU5r• 
mined jnemofy spac$ ocoupisd Pv BO-^ ivy o' 
said compuf&f platsorrn 

fe. A msmod of ac!iva$in« a compii iing snlsty eort^ns' 
irsgacon-pussf piS'JOiro s^avif^g atirs! datsi prccsss- 
irsg sflsans; artd a, fiisrmsrfiory f>?<5ar!s; af;d a, frssni- 



pt'Of^h,' O! ; s "o'vi ot the D-cocv-c-iiKvd statu, as^o mih- 



seiftctifsg a saata oi &asd piu!S;:!y --A p^■^■^^■;>r;!^:^■ 
\siQd ops-ra-sof-ai sJatss into sftxci-i io acsiviita 
said CC;!T5pU5>3;- pialfo'm: 



is; 



LP 1 m m At 



USy a -^t, itO ElljC- Tip *■ ( O * e 

7 ~ho ( 0* H( a f J(^v} ! cU n !i,rio *Jtn «<J!C< t 

it is) t. it ! > 



sjyiij } iCiTi Ss> 1C ■O' 5 f U 1 •'^ <!i f. V ^cv 



3 



t }!c )<s fp6 HO il 



^i&'-M^ <^v! stass ffO"! s^!C f y of pre -cor* 

i na 31 fe* it $ tn 's>i> ^r^ y-? trj^ji ti- 
ptoe t^sroughs !« ts^ -^B 



-1 f!t>"«x* '"NtnstS •'^'^^(T' 
r> M ^ p!{ti it, 



5 c nv? s 



scJ stats: iJomprfses; 

a frsmo«v i<xatm of h( •nemoty 

siO ''fe** > 'Ti stfjig ail UfCN- ^1 

oamponanl: 

4» ' riq n ^ s3 "lOfsiJAit^g compor crt of 

O f fS-'^S O d ft " f. «f)t 

^sd d!q6V d-4{<5 !"5k od ! aii'=.«ro<^1 



'Ip ftSi 



^ iUi 



iri^r J •<!i;^<} « > f<.c"i o(<}vC(»><<<:n!if >j/ <jJ 



trs§ iVisans and a sscoficS sms-nofy rns«n& sasc! 
•^riS<jfijig 3 tsfst ot said coirsputef sntisy 



piyfssiiiy of data 



1! ji) « son m ii for r8C<^t c? <j w f^f « •i^ <^on 



liiStiTO fef said pKysicfii m6 ioQsc&i msftijrajs: 



s&id session, 



ssoflna ssss^ ussf data;: 

©xiJifig said cor?ip(^6r piatiofn- irmv ssid state. 

:fn§:Jhsst8pof' 

fgeonftgymg sasS jTsonHOf rig component au f- 
:(ng ssfd ussf sessiorsin said lifstssatS:. 
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